CVE-2025-26956
Published: 27 March 2025
Summary
CVE-2025-26956 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-26956 is a Missing Authorization vulnerability (CWE-862) in the shinetheme Traveler WordPress theme. This issue affects Traveler versions from n/a through those prior to 3.2.1.
The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H). Low-privileged users (PR:L) can exploit it remotely over the network with low attack complexity and without requiring user interaction, potentially resulting in low confidentiality and integrity impacts alongside high availability disruption.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-1-8-broken-access-control-vulnerability-2?_s_id=cve details the broken access control issue in the Traveler theme. Mitigation requires updating to Traveler version 3.2.1 or later.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8524
Vulnerability details
Missing Authorization vulnerability in shinetheme Traveler traveler.This issue affects Traveler: from n/a through < 3.2.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (broken access control) vulnerability in a public-facing WordPress theme directly enables remote exploitation of the application by low-privileged users.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates enforcement of approved authorizations for access to system resources, addressing the core missing authorization vulnerability in the Traveler theme.
Requires timely identification, reporting, and correction of flaws like this CVE through patching to Traveler version 3.2.1 or later.
Enforces least privilege to restrict low-privileged users from exploiting the vulnerability for high availability impact or limited confidentiality/integrity effects.