{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69385", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:13:11.108Z", "datePublished": "2026-02-20T15:46:54.361Z", "dateUpdated": "2026-04-28T16:14:39.774Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "cartify", "product": "Cartify - WooCommerce Gutenberg WordPress Theme", "vendor": "AgniHD", "versions": [{"lessThanOrEqual": "1.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:37.409Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Cartify - WooCommerce Gutenberg WordPress Theme: from n/a through <= 1.3.</p>"}], "value": "Missing Authorization vulnerability in AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cartify - WooCommerce Gutenberg WordPress Theme: from n/a through <= 1.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:39.774Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/cartify/vulnerability/wordpress-cartify-woocommerce-gutenberg-wordpress-theme-theme-1-3-arbitrary-content-deletion-vulnerability?_s_id=cve"}], "title": "WordPress Cartify - WooCommerce Gutenberg WordPress Theme theme <= 1.3 - Arbitrary Content Deletion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T18:51:49.737781Z", "id": "CVE-2025-69385", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:51:52.605Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69385", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T18:51:49.737781Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T21:09:20.509Z"}}], "cna": {"title": "WordPress Cartify - WooCommerce Gutenberg WordPress Theme theme <= 1.3 - Arbitrary Content Deletion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AgniHD", "product": "Cartify - WooCommerce Gutenberg WordPress Theme", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.3"}], "packageName": "cartify", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:37.409Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/cartify/vulnerability/wordpress-cartify-woocommerce-gutenberg-wordpress-theme-theme-1-3-arbitrary-content-deletion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cartify - WooCommerce Gutenberg WordPress Theme: from n/a through <= 1.3.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Cartify - WooCommerce Gutenberg WordPress Theme: from n/a through <= 1.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:01.672Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69385", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:51:52.605Z", "dateReserved": "2025-12-31T20:13:11.108Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:54.361Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cartify - WooCommerce Gutenberg WordPress Theme: from n/a through <= 1.3."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en AgniHD Cartify - Tema de WordPress WooCommerce Gutenberg cartify permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Cartify - Tema de WordPress WooCommerce Gutenberg: desde n/a hasta &lt;= 1.3."}], "id": "CVE-2025-69385", "lastModified": "2026-04-27T19:16:43.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-20T16:22:23.687", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/cartify/vulnerability/wordpress-cartify-woocommerce-gutenberg-wordpress-theme-theme-1-3-arbitrary-content-deletion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Cartify - WooCommerce Gutenberg WordPress Theme", "source": "cna", "vendor": "AgniHD"}, "product": "cartify_-_woocommerce_gutenberg_wordpress_theme", "vendor": "agnihd"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:20:13.242691+00:00", "value": {"mitigation_remediation": ["Upgrade Cartify \u2013 WooCommerce Gutenberg WordPress Theme to a version newer than 1.3, ensuring the missing authorization fix is applied.", "Restrict author and contributor roles by disabling their capability to delete content and enforce that only administrators can modify theme settings.", "Implement regular backups of site content and enable change\u2011tracking logs so that accidental or malicious deletions can be identified and recovered."], "summary": {"action": "Apply Patch", "impact": "Arbitrary content deletion"}, "threat_synthesis": {"affected_systems": "This issue affects the AgniHD Cartify \u2013 WooCommerce Gutenberg WordPress Theme in all releases up to and including version 1.3. Users running these versions are exposed to the deletion vulnerability.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows an attacker to delete any content managed by the WordPress Cartify \u2013 WooCommerce Gutenberg WordPress Theme. It stems from incorrectly configured access control, enabling deletion without a valid privilege check. The weakness is classified as CWE\u2011862 \u2013 Missing Authorization.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity, yet the EPSS score of less than 1% shows a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves a user who can log in to the WordPress backend or edit the theme\u2019s configuration and then perform deletion actions that should have been restricted to higher\u2011privilege roles."}}}}, "created": "2026-02-23T14:37:09.703518+00:00", "updated": "2026-04-27T20:30:12.272876+00:00", "vendors": ["agnihd", "agnihd$PRODUCT$cartify_-_woocommerce_gutenberg_wordpress_theme", "wordpress", "wordpress$PRODUCT$wordpress"]}