CVE-2025-14392
Unauthorized Data Modification in Simple Theme Changer WordPress Plugin
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | simple_theme_changer | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Simple Theme Changer plugin for WordPress allows authenticated users with subscriber-level access or higher to modify the plugin's settings without proper authorization. This is due to missing capability checks on certain administrative actions within the plugin, enabling unauthorized modification of data.
How can this vulnerability impact me? :
This vulnerability can allow attackers with low-level authenticated access to change the plugin's settings, potentially leading to unauthorized changes in the website's theme behavior or appearance. While it does not directly impact confidentiality or availability, it can lead to integrity issues by allowing unauthorized modifications.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately restrict access to the Simple Theme Changer plugin settings to trusted users only, ensuring that subscriber-level users cannot modify plugin settings. Consider updating or patching the plugin once a fixed version is released. Additionally, review user roles and capabilities to prevent unauthorized changes.