CVE-2025-67572 identifies a Missing Authorization vulnerability in the PenciDesign PenNews WordPress theme, affecting all versions prior to 6.7.4. This vulnerability stems from incorrectly configured access control mechanisms within the theme, which fail to properly verify user permissions before granting access to certain functionalities or data. As a result, unauthorized users, including unauthenticated visitors or low-privilege users, may exploit this flaw to perform actions reserved for higher privilege levels, such as modifying content, accessing sensitive data, or manipulating theme settings. The vulnerability does not require user interaction or authentication, increasing its risk profile. Although no public exploits have been reported yet, the widespread use of PenNews in WordPress sites makes this a significant concern. The lack of a CVSS score indicates the need for a severity assessment based on the potential impact on confidentiality, integrity, and availability, as well as exploitation complexity. The vulnerability primarily threatens confidentiality and integrity by enabling unauthorized access and modification capabilities. The scope includes all installations running vulnerable versions of PenNews, which is a popular theme for news and magazine-style websites. The vendor has not yet published patches or mitigation details, but upgrading to version 6.7.4 or later is expected to resolve the issue. Organizations should also review their access control policies and restrict administrative privileges to minimize risk.

For European organizations, the impact of CVE-2025-67572 can be significant, especially for those relying on PenNews for public-facing websites, news portals, or content-heavy platforms. Unauthorized access could lead to data leakage, defacement, or unauthorized content publication, damaging organizational reputation and trust. Confidential information managed through the website could be exposed, and integrity of published content could be compromised, potentially leading to misinformation or legal liabilities. The vulnerability could also be leveraged as a foothold for further attacks within the network if attackers gain administrative control. Given the popularity of WordPress and PenNews in Europe, especially among media companies, educational institutions, and SMEs, the risk is amplified. The absence of known exploits currently provides a window for proactive mitigation, but the ease of exploitation without authentication means attackers could rapidly weaponize this vulnerability once details become public. Disruption of availability is less likely but cannot be ruled out if attackers manipulate theme settings or content delivery.

1. Immediately upgrade PenNews to version 6.7.4 or later once the patch is available from PenciDesign. 2. Until patching is possible, restrict access to the WordPress admin dashboard and theme settings by IP whitelisting or VPN access. 3. Audit user roles and permissions within WordPress to ensure the principle of least privilege is enforced, removing unnecessary administrative rights. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting theme-specific endpoints. 5. Monitor website logs for unusual access patterns or unauthorized attempts to access restricted functionality. 6. Regularly back up website data and configurations to enable quick restoration in case of compromise. 7. Educate site administrators about the vulnerability and the importance of timely updates and access control hygiene. 8. Consider isolating critical web infrastructure to limit lateral movement if exploitation occurs.