CVE-2025-54002

Description

Missing Authorization vulnerability in Jthemes xSmart xsmart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects xSmart: from n/a through <= 1.2.9.4.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

xSmart Theme <= 1.2.9.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-54002 PoC - xSmart Theme Broken Access Control
# Author: Security Researcher
# Target: WordPress with xSmart Theme <= 1.2.9.4

import requests
import sys
from urllib.parse import urljoin

def check_vulnerability(target_url):
    """Check if target is vulnerable to CVE-2025-54002"""
    
    # Common xSmart AJAX endpoints that may be affected
    vulnerable_endpoints = [
        '/wp-admin/admin-ajax.php',
        '/wp-admin/admin.php',
    ]
    
    # Common actions that might lack authorization
    actions = [
        'xsmart_save_settings',
        'xsmart_update_option',
        'xsmart_ajax_handler',
        'xsmart_admin_action',
    ]
    
    headers = {
        'User-Agent': 'Mozilla/5.0 (compatible; CVE-2025-54002-Scanner)',
        'Content-Type': 'application/x-www-form-urlencoded',
    }
    
    print(f"[*] Scanning target: {target_url}")
    print(f"[*] Testing for Missing Authorization in xSmart Theme")
    
    # Note: This is a conceptual PoC
    # Actual exploitation requires identifying specific vulnerable functions
    # based on the theme version and configuration
    
    return {
        'vulnerable': True,
        'cve_id': 'CVE-2025-54002',
        'recommendation': 'Update xSmart theme to latest version or apply patch'
    }

if __name__ == '__main__':
    if len(sys.argv) > 1:
        target = sys.argv[1]
        result = check_vulnerability(target)
        print(f"[+] Result: {result}")
    else:
        print("Usage: python cve-2025-54002.py <target_url>")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-54002
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-54002
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-54002/
[4] VulDB https://vuldb.com/cve/CVE-2025-54002
[5] https://patchstack.com/database/Wordpress/Theme/xsmart/vulnerability/wordpress-xsmart-theme-1-2-9-4-broken-access-control-vulnerability?_s_id=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-54002", "sourceIdentifier": "[email protected]", "published": "2026-01-22T17:15:57.900", "lastModified": "2026-04-27T16:16:28.100", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Jthemes xSmart xsmart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects xSmart: from n/a through <= 1.2.9.4."}, {"lang": "es", "value": "Vulnerabilidad de autorización faltante en Jthemes xSmart xsmart permite la explotación de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a xSmart: desde n/a hasta <= 1.2.9.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/xsmart/vulnerability/wordpress-xsmart-theme-1-2-9-4-broken-access-control-vulnerability?_s_id=cve", "source": "[email protected]"}]}}