Themes Vulnerabilities

JNews <= 11.6.16 - Missing Authorization

Description

The theme is vulnerable to unauthorized access due to a missing capability check on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Themes

jnews
No known fix

References

CVE
CVE-2025-39373
URL
https://patchstack.com/database/wordpress/theme/jnews/vulnerability/wordpress-jnews-theme-11-6-5-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Ananda Dhakal
Verified
No
WPVDB ID
f25bebdd-515e-408a-bfe7-d2a519243e06

Timeline

Publicly Published
2025-04-22 (about 1 year ago)
Added
2025-04-30 (about 1 year ago)
Last Updated
2026-01-06 (about 4 months ago)

Other

Published
Title
Published
2025-04-29
Title
WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin < 14.13.4 - Subscriber+ Arbitrary Plugin Settings Update
Published
2024-04-12
Title
Ivory Search – WordPress Search Plugin < 5.5.6 - Subscriber+ Index Creation
Published
2024-04-16
Title
Popup Anything < 2.8.1 - Missing Authorization
Published
2026-05-11
Title
HEL Online Classroom: AI-powered Online Classrooms <= 1.0.3 - Missing Authorization to Unauthenticated Arbitrary Classroom Deletion via 'id' Parameter
Published
2025-06-12
Title
myCred < 2.9.4.3 - Missing Authorization