PT-2025-28838 · Unknown · Sala - Startup & Saas Wordpress Theme

Thái An

Published

2025-07-09

Updated

2025-08-08

CVE-2025-4606

CVSS v3.1

9.8

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions:

Sala - Startup & SaaS WordPress Theme versions prior to 1.1.5

Description:

The issue arises from the theme's failure to properly validate a user's identity before updating their details, such as the `password`. This allows unauthenticated attackers to change arbitrary users' passwords, including those of administrators, and gain access to their accounts.

Recommendations:

For versions prior to 1.1.5, update to version 1.1.5 or later to resolve the issue.

As a temporary workaround, consider restricting access to user account management features until a patch is available.

Fix

LPE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-620

Related Identifiers

CVE-2025-4606

Affected Products

Sala - Startup & Saas Wordpress Theme

PT-2025-28838 · Unknown · Sala - Startup & Saas Wordpress Theme

Weakness Enumeration

Related Identifiers

Affected Products

References · 7