CVE-2025-53302
Deferred Deferred - Pending Action
Missing Authorization in Constructor Allows Unrestricted Access

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: Patchstack

Description
Missing Authorization vulnerability in Anton Shevchuk Constructor allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Constructor: from n/a through 1.6.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2025-53302
EUVD
EUVD-2025-210030
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
anton_shevchuk constructor From 1.0.0 (inc) to 1.6.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-53302 is a Broken Access Control vulnerability in the WordPress Constructor Theme versions 1.6.5 and below. It occurs because of missing authorization, authentication, or nonce token checks, which allows unauthenticated users to perform actions that should require higher privileges.

Compliance Impact

The vulnerability is a Broken Access Control issue that allows unauthenticated users to perform higher-privileged actions due to missing authorization checks.

Such unauthorized access could potentially lead to unauthorized exposure or manipulation of data, which may impact compliance with standards and regulations like GDPR or HIPAA that require strict access controls to protect sensitive information.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Impact Analysis

This vulnerability can allow attackers to perform higher-privileged actions without proper authorization. Although classified as low severity with a CVSS score of 5.3, it can be exploited in mass campaigns targeting thousands of websites, potentially leading to unauthorized access or changes within affected sites.

Detection Guidance

The vulnerability allows unauthenticated users to perform higher-privileged actions due to missing authorization checks in the WordPress Constructor Theme versions 1.6.5 and below.

There is no specific detection command or signature provided in the available resources to identify exploitation attempts or presence of this vulnerability on your network or system.

To detect potential exploitation, monitoring for unusual access patterns or unauthorized actions on the affected theme functionality could be helpful, but no direct commands or tools are mentioned.

Mitigation Strategies

Immediate mitigation steps include updating the WordPress Constructor Theme to a version higher than 1.6.5 if available.

Since no official patch or Vendor Disclosure Program has been issued, it is recommended to seek assistance from your hosting provider or a developer to implement custom access control measures.

Additionally, using vulnerability mitigation solutions such as Patchstack's RapidMitigate and New Threat Intelligence API can help address this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-53302. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart