{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67965", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:23.852Z", "datePublished": "2025-12-16T08:12:58.164Z", "dateUpdated": "2026-04-28T16:14:24.907Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "homey-core", "product": "Homey Core", "vendor": "favethemes", "versions": [{"changes": [{"at": "2.4.4", "status": "unaffected"}], "lessThanOrEqual": "2.4.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:24:29.520Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in favethemes Homey Core homey-core allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Homey Core: from n/a through <= 2.4.3.</p>"}], "value": "Missing Authorization vulnerability in favethemes Homey Core homey-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Homey Core: from n/a through <= 2.4.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.907Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/homey-core/vulnerability/wordpress-homey-core-plugin-2-4-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Homey Core plugin <= 2.4.3 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-16T19:07:34.514965Z", "id": "CVE-2025-67965", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:08:22.898Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67965", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-16T19:07:34.514965Z"}}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T19:07:30.050Z"}}], "cna": {"title": "WordPress Homey Core plugin <= 2.4.3 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "favethemes", "product": "Homey Core", "versions": [{"status": "affected", "changes": [{"at": "2.4.4", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.4.3"}], "packageName": "homey-core", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:24:29.520Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/homey-core/vulnerability/wordpress-homey-core-plugin-2-4-3-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in favethemes Homey Core homey-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Homey Core: from n/a through <= 2.4.3.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in favethemes Homey Core homey-core allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Homey Core: from n/a through <= 2.4.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.907Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67965", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:24.907Z", "dateReserved": "2025-12-15T10:00:23.852Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-12-16T08:12:58.164Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in favethemes Homey Core homey-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Homey Core: from n/a through <= 2.4.3."}], "id": "CVE-2025-67965", "lastModified": "2026-04-27T18:16:51.747", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2025-12-16T09:15:59.970", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/homey-core/vulnerability/wordpress-homey-core-plugin-2-4-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T22:26:01.159094+00:00", "value": {"mitigation_remediation": ["Upgrade Homey Core to version 2.4.4 or later to fix the broken access control bug.", "If an upgrade cannot be performed immediately, disable or delete the Homey Core plugin from the WordPress installation.", "Reconfigure WordPress role and capability settings to ensure that only authorized users can access administrative functions, particularly those provided by Homey Core."], "summary": {"action": "Patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "Affected systems are WordPress sites running the Homey Core plugin from favethemes, with versions up to and including 2.4.3. All installations of Homey Core on these versions are vulnerable until the plugin is upgraded beyond 2.4.3.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows an attacker to bypass incorrectly configured access control levels within the Homey Core plugin. This results in a broken access control weakness (CWE-862) that can enable unauthorized access to restricted content or administrative functions of a WordPress site. The impact is elevating the user privileges of an attacker, potentially exposing sensitive data or allowing further exploitation if other weaknesses are present.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates a moderate severity, and the EPSS score is below 1%, suggesting a low probability of exploitation in the wild. Because the issue stems from missing authorization in the plugin code, the likely attack vector is a web-based request to a protected resource, such as an admin endpoint or a page that should be restricted. Although not listed in CISA\u2019s KEV catalog, administrators should still address the issue promptly to eliminate the risk of privilege escalation on their sites."}}}}, "created": "2025-12-16T17:09:27.870506+00:00", "updated": "2026-04-27T22:30:14.456116+00:00", "vendors": ["favethemes", "favethemes$PRODUCT$homey", "wordpress", "wordpress$PRODUCT$wordpress"]}