Description
The Spacious theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'welcome_notice_import_handler' function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo data into the site.
Published: 2025-08-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification
Action: Upgrade Theme
AI Analysis

Impact

The Spacious WordPress theme contains a missing capability check in the welcome_notice_import_handler function, which allows any authenticated user with Subscriber level or higher to import demo data into the site. This can overwrite existing content or add new entries, leading to unauthorized modification of the website’s data and disrupting its intended appearance or functionality. The vulnerability is a classic missing authorization issue (CWE‑862).

Affected Systems

Themegrill’s Spacious theme, up to and including version 1.9.11, is affected. WordPress sites that have installed any of these versions are vulnerable unless they have been upgraded beyond 1.9.11.

Risk and Exploitability

The CVSS score of 4.3 denotes moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attacking this flaw requires a valid user account with at least Subscriber permissions, which is typically easy to obtain through legitimate sign‑ups or credential compromise. Once authenticated, an attacker can trigger the import functionality via the site’s admin interface or by sending a crafted request to the relevant endpoint. The attack is non‑remote in that it requires prior authentication, but once authenticated, any user can perform the exploit without additional privileges.

Generated by OpenCVE AI on April 22, 2026 at 16:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Spacious theme to the latest available version, which removes the missing capability check.
  • If an upgrade is not immediately possible, remove or restrict the welcome_notice_import_handler endpoint for users with Subscriber level or lower, for example by editing the theme code to add a capability check or using a plugin that limits access to demo‑import functions.
  • Monitor the site’s logs for unexplained import operations performed by Subscriber accounts and review content changes to detect potential unauthorized modifications.

Generated by OpenCVE AI on April 22, 2026 at 16:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28834 The Spacious theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'welcome_notice_import_handler' function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo data into the site.
History

Sat, 23 Aug 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 22 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 Aug 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Spacious theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'welcome_notice_import_handler' function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo data into the site.
Title Spacious <= 1.9.11 - Missing Authorization to Autheticated (Subscriber+) Demo Data Import
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:03.456Z

Reserved: 2025-08-21T21:41:45.367Z

Link: CVE-2025-9331

cve-icon Vulnrichment

Updated: 2025-08-22T14:00:17.773Z

cve-icon NVD

Status : Deferred

Published: 2025-08-22T12:15:35.267

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9331

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:00:12Z

Weaknesses