Description
Missing Authorization vulnerability in NooTheme CitiLights noo-citilights allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CitiLights: from n/a through < 3.7.2.
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Apply Patch
AI Analysis

Impact

Missing authorization controls in the NooTheme CitiLights WordPress theme allow attackers to execute actions reserved for privileged users. The flaw arises from incorrectly configured access control security levels, enabling non‑privileged or unauthenticated users to reach functions normally restricted. As a result, attackers could edit content, manage theme settings, or otherwise alter the site without proper verification, undermining confidentiality and integrity of site data.

Affected Systems

The vulnerability affects the NooTheme CitiLights theme for WordPress versions up to, but not including, 3.7.2. Any installation of the theme with a version number less than 3.7.2 is potentially exposed.

Risk and Exploitability

The CVSS v3.1 score of 5.3 indicates moderate severity, with a low EPSS of less than 1 %. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is via the web interface; an attacker could manipulate URLs or form inputs that bypass the missing authorization checks. No public exploit code is known, and exploitation would require knowledge of the theme’s internal endpoints or configuration.

Generated by OpenCVE AI on April 16, 2026 at 00:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the CitiLights theme to version 3.7.2 or later, which contains a fixed authorization check.
  • If an update is not immediately possible, temporarily disable the theme or restrict its use to administrators only, ensuring that only authenticated users with appropriate roles can activate or interact with it.
  • Review and tighten user role capabilities in WordPress to prevent anonymous or low‑privileged accounts from accessing theme‑related settings, addressing the root cause of the missing authorization.

Generated by OpenCVE AI on April 16, 2026 at 00:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Nootheme
Nootheme citilights
Wordpress
Wordpress wordpress
Vendors & Products Nootheme
Nootheme citilights
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in NooTheme CitiLights noo-citilights allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CitiLights: from n/a through < 3.7.2.
Title WordPress CitiLights theme < 3.7.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Nootheme Citilights
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:50.219Z

Reserved: 2026-02-02T12:52:55.300Z

Link: CVE-2026-25367

cve-icon Vulnrichment

Updated: 2026-02-19T20:40:36.679Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:19.430

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25367

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:30:18Z

Weaknesses