CVE-2025-4797: 
WordPress vulnerability analysis and mitigation

The Golo - City Travel Guide WordPress Theme contains a critical privilege escalation vulnerability (CVE-2025-4797) affecting all versions up to and including 1.7.0. The vulnerability was disclosed on June 3, 2025, and has been assigned a CVSS v3.1 base score of 9.8 (Critical). The issue affects the theme's authentication mechanism, where improper user identity validation occurs during the authorization cookie setting process (NVD Database).

The vulnerability stems from an authentication bypass using an alternate path or channel (CWE-288). The core issue lies in the theme's failure to properly validate user identity before setting authorization cookies. The vulnerability has received a CVSS v3.1 score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD Database).

The vulnerability allows unauthenticated attackers to perform account takeover attacks and gain unauthorized access to any user account, including administrator accounts, by only knowing the target user's email address. This gives attackers full control over affected WordPress installations, potentially leading to complete site compromise (NVD Database).

Users of the Golo - City Travel Guide WordPress Theme should immediately update their installations to a version newer than 1.7.0 once available. Until a patch is released, site administrators should consider implementing additional security measures such as web application firewalls and monitoring for unauthorized access attempts (NVD Database).