CVE-2025-1326: 
WordPress vulnerability analysis and mitigation

The Homey theme for WordPress contains a security vulnerability (CVE-2025-1326) discovered and disclosed by Wordfence on May 1, 2025. The vulnerability affects all versions up to and including 2.4.4, stemming from a missing capability check in the homeyreservationdel() function. This security flaw has been classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 base score of 4.3 (Medium) (NVD, Wiz).

The vulnerability is characterized by a Missing Authorization issue (CWE-862) with a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. This indicates network accessibility, low attack complexity, and required low privileges. The security flaw specifically exists in the homeyreservationdel() function which lacks proper capability checks for user authorization (NVD, Wiz).

The vulnerability enables authenticated attackers with Subscriber-level access or higher to delete arbitrary reservations and posts within the WordPress installation. This unauthorized access to deletion functionality could potentially disrupt business operations and lead to loss of booking data (Wiz).

Users of the Homey WordPress theme should upgrade to a version newer than 2.4.4 when available. Until a patch is released, site administrators should consider restricting user roles and implementing additional access controls (Wiz).