Themes Vulnerabilities

JNews <= 11.6.16 - Missing Authorization

Description

The theme is vulnerable to unauthorized access due to a missing capability check on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Themes

jnews
No known fix

References

CVE
CVE-2025-39373
URL
https://patchstack.com/database/wordpress/theme/jnews/vulnerability/wordpress-jnews-theme-11-6-5-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Ananda Dhakal
Verified
No
WPVDB ID
f25bebdd-515e-408a-bfe7-d2a519243e06

Timeline

Publicly Published
2025-04-22 (about 11 months ago)
Added
2025-04-30 (about 11 months ago)
Last Updated
2026-01-06 (about 2 months ago)

Other

Published
Title
Published
2023-09-25
Title
BEAR for WordPress < 1.1.4 - Arbitrary Settings Update via CSRF
Published
2025-10-16
Title
MeetingHub < 1.23.10 - Missing Authorization
Published
2026-02-18
Title
Dealia – Request a quote < 1.0.8 - Missing Authorization to Authenticated (Contributor+) Plugin Configuration Reset
Published
2024-05-06
Title
WP Post Author < 3.7.5 - Missing Authorization
Published
2023-09-22
Title
Ad Inserter – Ad Manager & AdSense Ads < 2.7.31 - Unauthenticated Sensitive Information Exposure