Attack Vectors

CVE-2026-25367 is a Medium severity (CVSS 5.3) missing authorization issue affecting the Support for CitiLights – Real Estate WordPress Theme (slug: noo-citilights) in versions reported as up to 3.7.2. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) indicates the attack can be performed remotely over the network, requires no login, and needs no user interaction.

In practical terms, an unauthenticated attacker could probe exposed theme functionality and attempt to trigger the vulnerable function to carry out an unauthorized action on your WordPress site.

Security Weakness

The underlying weakness is a missing capability check (authorization control) on a theme function. When capability checks are absent, WordPress cannot reliably enforce “who is allowed to do what,” which can allow requests from unauthenticated visitors to reach actions that should be restricted to trusted roles (such as administrators or editors).

This vulnerability is documented by Wordfence and tracked as CVE-2026-25367.

Technical or Business Impacts

Although this issue is rated Medium and does not indicate direct data exposure (CVSS shows no confidentiality impact), it does carry a potential integrity impact. Unauthorized actions can still create meaningful business risk, including unwanted changes that affect site content, lead capture workflows, property listings, branding, SEO performance, or user experience.

From a business and compliance perspective, even “limited” unauthorized changes can lead to operational disruption (time spent investigating and restoring content), marketing performance impacts (broken landing pages, misdirected calls-to-action, altered forms), and reputational damage if customers see inaccurate listings or messaging.

Remediation: Follow vendor guidance to update the CitiLights theme to version 3.7.2, or to a newer patched version if available. In parallel, reduce exposure by limiting unnecessary public endpoints, keeping WordPress core/plugins/themes updated, and monitoring for unexpected changes.

Similar attacks (real examples): Authorization and access-control gaps are a common root cause in WordPress incidents. For context, see CVE-2024-27956 (a widely discussed WordPress plugin authentication/access issue), CVE-2023-2745 (WordPress-related authorization concerns in the ecosystem), and CVE-2021-29447 (a WordPress core media issue that was actively monitored due to broad exposure). These examples illustrate how quickly widely deployed WordPress components can become targets once weaknesses are public.