CVE-2025-53986: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in ThemeIsle Hestia WordPress theme, affecting versions through 3.2.10. The vulnerability allows accessing functionality not properly constrained by Access Control Lists (ACLs). The issue was reported by Martino Spagnuolo (r3verii) on June 10, 2025, and was publicly disclosed on July 16, 2025 (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 Base Score of 5.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed (Patchstack).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. The severity is considered low, with potential impact on the integrity of the system (Patchstack).

The vulnerability has been fixed in version 3.2.11 of the Hestia theme. Users are advised to update to version 3.2.11 or later to remove the vulnerability (Patchstack).