CVE-2025-9194

Description

The Constructor theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clean() function in all versions up to, and including, 1.6.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a theme clean.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected products

antonshevchuk / Constructor0 – 1.6.5

References

MISChttps://www.wordfence.com/threat-intel/vulnerabilities/id/d9c479fc-2e98-4851-a36c-2fd219e750ed?source=cve
MISChttps://themes.svn.wordpress.org/constructor/1.6.5/libs/Constructor/Ajax.php