Platform
wordpress
Component
vikinger
Opgelost in
1.9.31
CVE-2025-2238 describes a privilege escalation vulnerability discovered in the Vikinger WordPress theme. This flaw allows authenticated users with Subscriber-level access or higher to elevate their privileges to Administrator, granting them full control over the WordPress site. The vulnerability affects versions 1.0.0 through 1.9.30 of the Vikinger theme, and a patch is available to address the issue.
An attacker exploiting this vulnerability could gain complete administrative control over a WordPress site. This includes the ability to install malicious plugins and themes, modify site content, create or delete user accounts, and access sensitive data stored within the WordPress database. The impact is significant, as a compromised administrator account can lead to complete site takeover and data breaches. This vulnerability is particularly concerning given the widespread use of WordPress and the potential for large-scale compromise if exploited.
This vulnerability was publicly disclosed on 2025-04-25. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation, given the required authentication, suggests a medium probability of exploitation. It is not currently listed on CISA KEV.
Websites using the Vikinger WordPress theme, particularly those with a large number of Subscriber-level users or those lacking robust access controls, are at risk. Shared hosting environments where WordPress installations are managed by the hosting provider are also at increased risk, as they may be slower to apply updates.
• wordpress / composer / npm:
grep -r 'vikinger_user_meta_update_ajax' /var/www/html/wp-content/themes/vikinger/• wordpress / composer / npm:
wp plugin list --status=all | grep vikinger• wordpress / composer / npm:
wp theme list --status=all | grep vikingerdisclosure
Exploit Status
EPSS
0.26% (49% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-2238 is to upgrade the Vikinger WordPress theme to a patched version. Check the Vikinger theme developer's website or the WordPress plugin repository for the latest version. If upgrading is not immediately feasible, consider restricting access to sensitive areas of the WordPress admin panel for users with Subscriber roles. While not a complete solution, this can limit the potential damage from a compromised account. Regularly review user roles and permissions to ensure they are appropriately configured.
Actualice el tema Vikinger a la última versión disponible (superior a 1.9.30) para mitigar la vulnerabilidad de escalada de privilegios. Verifique las actualizaciones del tema en el panel de administración de WordPress o en la página de descarga del tema. Implemente controles de acceso más estrictos para las funciones de actualización de metadatos de usuario.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-2238 is a HIGH severity vulnerability affecting the Vikinger WordPress theme, allowing authenticated subscribers to gain administrator privileges.
If you are using the Vikinger WordPress theme versions 1.0.0 through 1.9.30, you are potentially affected by this vulnerability.
Upgrade the Vikinger WordPress theme to the latest version available from the developer or WordPress plugin repository.
While no public exploits are currently known, the ease of exploitation suggests a potential for active exploitation.
Check the Vikinger theme developer's website or the WordPress plugin repository for the official advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.