CVE-2025-31066: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in themeton Acerola WordPress theme, affecting versions up to 1.6.5. The vulnerability was reported on March 29, 2025, by Tran Nguyen Bao Khanh from VCI - VNPT Cyber Immunity and was publicly disclosed on May 16, 2025. The vulnerability has been assigned CVE-2025-31066 and relates to broken access control issues that could allow exploiting incorrectly configured access control security levels (Patchstack).

The vulnerability is classified as a Missing Authorization (CWE-862) issue. It received a CVSS v3.1 score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The vulnerability can be exploited by unauthenticated users and involves broken access control mechanisms where authorization, authentication, or nonce token checks are missing in certain functions (Patchstack, NVD).

The vulnerability has been assessed as having a low severity impact. It potentially allows unprivileged users to execute certain higher privileged actions due to the broken access control implementation (Patchstack).

As of the disclosure date, no official fix has been released for this vulnerability. The issue affects Acerola theme versions up to 1.6.5, and no patched version is currently available (Patchstack).