{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9331", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-21T21:41:45.367Z", "datePublished": "2025-08-22T11:14:00.384Z", "dateUpdated": "2026-04-08T16:33:03.456Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:03.456Z"}, "affected": [{"vendor": "themegrill", "product": "Spacious", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.9.11", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Spacious theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'welcome_notice_import_handler' function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo data into the site."}], "title": "Spacious <= 1.9.11 - Missing Authorization to Autheticated (Subscriber+) Demo Data Import", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03fd2eee-429c-4053-8105-e1816f99ea91?source=cve"}, {"url": "https://themes.trac.wordpress.org/changeset/282946/"}, {"url": "https://research.cleantalk.org/cve-2025-9331/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-08-21T22:13:50.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-22T14:00:10.464119Z", "id": "CVE-2025-9331", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-22T14:01:46.285Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9331", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-22T14:00:10.464119Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-22T14:00:17.773Z"}}], "cna": {"title": "Spacious <= 1.9.11 - Missing Authorization to Autheticated (Subscriber+) Demo Data Import", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "themegrill", "product": "Spacious", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.9.11"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-21T22:13:50.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03fd2eee-429c-4053-8105-e1816f99ea91?source=cve"}, {"url": "https://themes.trac.wordpress.org/changeset/282946/"}, {"url": "https://research.cleantalk.org/cve-2025-9331/"}], "descriptions": [{"lang": "en", "value": "The Spacious theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'welcome_notice_import_handler' function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo data into the site."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-08-22T11:14:00.384Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9331", "state": "PUBLISHED", "dateUpdated": "2025-08-22T14:01:46.285Z", "dateReserved": "2025-08-21T21:41:45.367Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-22T11:14:00.384Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Spacious theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'welcome_notice_import_handler' function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo data into the site."}, {"lang": "es", "value": "El tema Spacious para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de una comprobaci\u00f3n de la funci\u00f3n \"welcome_notice_import_handler\" en todas las versiones hasta la 1.9.11 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, importen datos de demostraci\u00f3n al sitio."}], "id": "CVE-2025-9331", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-22T12:15:35.267", "references": [{"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2025-9331/"}, {"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/changeset/282946/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03fd2eee-429c-4053-8105-e1816f99ea91?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:59:04.649364+00:00", "value": {"mitigation_remediation": ["Update the Spacious theme to the latest available version, which removes the missing capability check.", "If an upgrade is not immediately possible, remove or restrict the welcome_notice_import_handler endpoint for users with Subscriber level or lower, for example by editing the theme code to add a capability check or using a plugin that limits access to demo\u2011import functions.", "Monitor the site\u2019s logs for unexplained import operations performed by Subscriber accounts and review content changes to detect potential unauthorized modifications."], "summary": {"action": "Upgrade Theme", "impact": "Unauthorized Data Modification"}, "threat_synthesis": {"affected_systems": "Themegrill\u2019s Spacious theme, up to and including version 1.9.11, is affected. WordPress sites that have installed any of these versions are vulnerable unless they have been upgraded beyond 1.9.11.", "description_and_impact": "The Spacious WordPress theme contains a missing capability check in the welcome_notice_import_handler function, which allows any authenticated user with Subscriber level or higher to import demo data into the site. This can overwrite existing content or add new entries, leading to unauthorized modification of the website\u2019s data and disrupting its intended appearance or functionality. The vulnerability is a classic missing authorization issue (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 4.3 denotes moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Attacking this flaw requires a valid user account with at least Subscriber permissions, which is typically easy to obtain through legitimate sign\u2011ups or credential compromise. Once authenticated, an attacker can trigger the import functionality via the site\u2019s admin interface or by sending a crafted request to the relevant endpoint. The attack is non\u2011remote in that it requires prior authentication, but once authenticated, any user can perform the exploit without additional privileges."}}}}, "created": "2025-08-23T10:55:29.486853+00:00", "updated": "2026-04-22T17:00:12.346353+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}