CVE-2025-26867: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2025-26867 affects the WordPress Bulk theme versions 1.0.11 and below. It was discovered by Fariq Fadillah Gusti Insani and publicly disclosed on April 11, 2025. The vulnerability is classified as a Missing Authorization/Broken Access Control issue with a CVSS score of 5.3, indicating medium severity (Wiz, Patchstack).

The vulnerability is categorized as a Broken Access Control issue (CWE-862), which refers to a missing authorization, authentication, or nonce token check in a function. This security flaw could potentially allow an unprivileged user to execute certain higher privileged actions. The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (Patchstack).

The vulnerability has been assessed to have a low severity impact and is considered unlikely to be exploited. The specific impact varies case by case, but generally, broken access control vulnerabilities can lead to unauthorized access to functionality intended for higher-privileged users (Patchstack).

As of April 2025, no official fix has been made available for this vulnerability. The issue has been assigned a low patch priority, and Patchstack indicates that a virtual patch is unnecessary due to the low severity impact (Patchstack).