CVE-2025-31846: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in Jeroen Schmit Theater for WordPress plugin, tracked as CVE-2025-31846. The vulnerability affects versions through 0.18.7 and involves incorrectly configured access control security levels. The issue was discovered by researcher theviper17y and was publicly disclosed on April 1, 2025 (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 score of 4.3 (Medium). The vulnerability vector is described as CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and required low privileges for exploitation (NVD).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks in specific functions. The severity is considered low, with potential impact varying case by case (Patchstack).

The vulnerability has been fixed in version 0.18.8 of the Theater for WordPress plugin. Users are advised to update to version 0.18.8 or later to remove the vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack).