CVE-2025-52804: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-52804) was discovered in the WordPress Nuss theme, affecting versions through 1.3.3. The vulnerability was reported on May 8, 2025, and publicly disclosed on July 8, 2025. The issue allows unauthorized access to functionality not properly constrained by Access Control Lists (ACLs) (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 Base Score of 7.5 (High). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating that it can be exploited over the network with low attack complexity, requires no privileges or user interaction, and can result in high impact to integrity (NVD, Patchstack).

The vulnerability allows unprivileged users to execute higher privileged actions due to missing authorization, authentication, or nonce token checks. This broken access control issue is considered highly dangerous and is expected to become mass exploited (Patchstack).

No official fix is currently available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website owners are advised to implement mitigation measures immediately (Patchstack).