CVE-2025-69303
Published: 20 February 2026
Summary
CVE-2025-69303 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-69303 is a Missing Authorization vulnerability (CWE-862) in the ModelTheme Framework WordPress plugin (modeltheme-framework). It enables exploitation of incorrectly configured access control security levels. The vulnerability affects all versions from n/a through less than 2.0.0 and was published on 2026-02-20T16:22:18.243. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact with no requirements for privileges or user interaction.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity. Successful exploitation grants access to sensitive data without impacting integrity or availability.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/modeltheme-framework/vulnerability/wordpress-modeltheme-framework-plugin-1-9-2-broken-access-control-vulnerability?_s_id=cve documents the issue, specifically referencing version 1.9.2, and provides details on mitigation relevant to affected WordPress plugin installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207939
Vulnerability details
Missing Authorization vulnerability in modeltheme ModelTheme Framework modeltheme-framework allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ModelTheme Framework: from n/a through < 2.0.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) in public-facing WordPress plugin directly enables remote unauthenticated exploitation of internet-facing software to access sensitive data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates enforcement of approved authorizations for access to system resources, countering the missing authorization vulnerability in the plugin.
Requires timely identification, reporting, and correction of system flaws, enabling patching of the vulnerable ModelTheme Framework versions to eliminate the access control gap.
Enforces least privilege to restrict unauthorized access even if plugin authorization checks are bypassed or misconfigured.