CVE-2025-1326 is a vulnerability identified in the Homey WordPress theme developed by Fave Themes, affecting all versions up to and including 2.4.4. The root cause is a missing authorization check (CWE-862) in the function homey_reservation_del(), which is responsible for deleting reservations and posts. This flaw allows any authenticated user with at least Subscriber-level privileges to invoke this function and delete arbitrary reservations or posts without proper capability verification. Since WordPress Subscriber roles typically have minimal permissions, this vulnerability significantly elevates the risk of unauthorized data modification by low-privileged users. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network (AV:N). The CVSS v3.1 base score is 4.3, indicating a medium severity level, with the impact primarily on data integrity (I:L) and no direct impact on confidentiality or availability. No patches or fixes have been linked yet, and no known exploits are reported in the wild. The vulnerability was reserved in February 2025 and published in May 2025, with enrichment from CISA and Wordfence. The absence of authorization checks in critical functions like homey_reservation_del() is a common security oversight that can lead to unauthorized content manipulation, undermining trust and operational stability of affected websites.

The primary impact of CVE-2025-1326 is unauthorized modification of website content, specifically the deletion of reservations and posts. This can disrupt business operations, especially for organizations relying on the Homey theme for booking or reservation management, such as real estate agencies, rental services, or hospitality businesses. Unauthorized deletion can lead to data loss, customer dissatisfaction, and reputational damage. Since the vulnerability requires only Subscriber-level access, it lowers the barrier for exploitation by malicious insiders or compromised low-privilege accounts. Although it does not directly affect confidentiality or availability, the integrity impact can cascade into operational disruptions and potential financial losses. Organizations with high volumes of user-generated content or reservations are particularly vulnerable. The lack of known exploits in the wild suggests limited immediate threat, but the vulnerability’s presence in a popular WordPress theme means it could be targeted in future attacks. The medium CVSS score reflects moderate risk but should not be underestimated given the ease of exploitation and potential business impact.

1. Immediate mitigation should involve restricting Subscriber-level users from accessing or invoking the homey_reservation_del() function by implementing custom capability checks or role restrictions via WordPress hooks or plugins. 2. Monitor and audit user activities related to reservation and post deletions to detect unauthorized actions promptly. 3. Apply principle of least privilege by reviewing and minimizing user roles and permissions, especially for Subscriber-level accounts. 4. Backup all reservation and post data regularly to enable recovery in case of unauthorized deletions. 5. Engage with Fave Themes or the WordPress community to obtain or request an official patch addressing the missing authorization check. 6. Consider deploying a Web Application Firewall (WAF) with custom rules to block suspicious requests targeting the vulnerable function. 7. Educate site administrators and users on the risks of low-privilege account compromise and enforce strong authentication mechanisms to reduce risk of account takeover. 8. Until a patch is available, consider temporarily disabling or replacing the Homey theme if the risk is unacceptable.