CVE-2025-60098: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in Jeff Farthing's Theme My Login WordPress plugin affecting versions through 7.1.12. The vulnerability was reported by researcher Psai on June 2, 2025, and was publicly disclosed on September 26, 2025. The issue was assigned CVE-2025-60098 and relates to incorrectly configured access control security levels (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) where there is a missing authorization, authentication, or nonce token check in a function that could allow an unprivileged user to execute higher privileged actions. The vulnerability received a CVSS 3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, indicating it is network accessible, requires low attack complexity, and needs no privileges or user interaction to exploit (NVD, Patchstack).

The vulnerability has been assessed to have a low severity impact on affected systems. It potentially allows unauthorized users to perform actions that should be restricted to users with higher privileges, though specific impact details vary case by case (Patchstack).

The vulnerability has been patched in version 7.1.13 of the Theme My Login plugin. Users are advised to update to version 7.1.13 or later to remove the vulnerability. Patchstack users have the option to enable auto-updates for vulnerable plugins (Patchstack).