CVE-2025-2289: 
WordPress vulnerability analysis and mitigation

The Zegen - Church WordPress Theme for WordPress contains a vulnerability (CVE-2025-2289) related to unauthorized access due to missing capability checks on several AJAX endpoints. This vulnerability affects all versions up to and including 1.1.9. The issue was disclosed on March 14, 2025, and allows authenticated attackers with Subscriber-level access or higher to perform unauthorized actions (NVD).

The vulnerability stems from missing authorization checks on multiple AJAX endpoints within the theme. This security flaw has been assigned a CVSS v3.1 base score of 8.8 (HIGH) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Wordfence assessed it with a score of 4.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified under CWE-862 (Missing Authorization) (NVD).

The vulnerability enables authenticated attackers with Subscriber-level privileges or higher to import, export, and update theme options without proper authorization. This could potentially lead to unauthorized modifications of theme settings and configuration (NVD).

Users should upgrade to a version newer than 1.1.9 when available. The latest version of the theme as of October 2024 is 1.1.9, which is still vulnerable (Theme Details).