The CozyStay WordPress theme contains a missing authorization (CWE-862) vulnerability in its ajax_handler function, present in all versions up to and including 1.7.0. This lack of capability checks permits unauthenticated attackers to execute arbitrary actions, leading to unauthorized modification of data. The CVSS 3.1 base score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to integrity.

An attacker without authentication can exploit this vulnerability to modify data arbitrarily within the CozyStay theme environment. This compromises data integrity but does not affect confidentiality or availability. The impact is significant due to the ability to perform unauthorized actions remotely.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the WordPress admin and ajax endpoints where possible and monitor for suspicious activity related to the CozyStay theme. Avoid using affected versions in production environments.