CVE-2025-53345: ThimPress Thim Core Missing Authorization Leads to Code Execution
ThimPress Thim Core contains a missing authorization vulnerability that allows authenticated users to execute arbitrary code by installing a malicious plugin. An attacker with legitimate user access can bypass security checks intended to restrict plugin installation, enabling them to deploy and run arbitrary code on the affected WordPress installation. This is a post-authentication attack that significantly expands an attacker's capability once they have gained initial user credentials.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-862
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Missing Authorization vulnerability leading to code execution after installing malicious vulnerable plugin in ThimPress Thim Core. This issue affects Thim Core: from n/a through 2.3.3.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-53345 is a CWE-862 (Missing Authorization) vulnerability in ThimPress Thim Core versions through 2.3.3. The vulnerability stems from inadequate authorization checks when handling plugin installation requests. An authenticated user can submit a malicious plugin without proper validation of their permissions, and the system executes the plugin code with insufficient sandboxing or verification. The CVSS 3.1 score of 8.8 (HIGH severity) reflects the combination of network accessibility, low attack complexity, requirement for authenticated access, and the severe impact: full compromise of confidentiality, integrity, and availability on the affected server.
Business impact
Organizations using ThimPress Thim Core face a significant operational risk. If an attacker compromises any user account—whether through credential stuffing, phishing, or insider threat—they can immediately escalate to arbitrary code execution on the web server. This enables data exfiltration, website defacement, malware injection targeting visitors, or lateral movement into the broader network infrastructure. For WordPress-based business websites, this creates a critical supply chain risk if the compromised installation is used to serve content to customers or partners.
Affected systems
ThimPress Thim Core versions up to and including 2.3.3 are affected. Organizations should audit their WordPress installations for this plugin and verify the installed version. The vulnerability requires an authenticated user to trigger, so it does not pose a direct risk to unauthenticated attackers unless user credentials are compromised or accounts have been created for untrusted parties.
Exploitability
Exploitation requires valid user credentials to access the WordPress admin interface. The attack complexity is low—once authenticated, an attacker can craft and upload a malicious plugin without specialized technical knowledge. No user interaction is needed beyond the initial login. The absence of this CVE from CISA's Known Exploited Vulnerabilities catalog does not guarantee the absence of active exploitation; it indicates only that as of the query date, exploitation has not been formally documented in that particular government database.
Remediation
Update ThimPress Thim Core to the patched version released after 2.3.3. Verify the exact patched version by consulting the official ThimPress plugin repository or security advisory. As an interim control pending patching, restrict plugin installation permissions to administrators only, disable plugin upload for non-admin roles if possible, and monitor admin user activity for unauthorized plugin installations.
Patch guidance
Check the WordPress plugin directory or ThimPress's official support channel for the latest version. Update to the first released version after 2.3.3 that addresses CVE-2025-53345. Test the update in a staging environment before deploying to production. Also review and revoke any suspicious plugin installations that may have occurred prior to patching. Document the patch deployment timestamp for audit and compliance records.
Detection guidance
Monitor WordPress admin activity logs for plugin installation events, especially installations initiated by users other than your expected administrators. Alert on any plugin uploads from accounts that do not routinely perform maintenance. Use WordPress security plugins or host-level file integrity monitoring to detect unauthorized PHP files or plugin directories. Search your file system for plugins modified or created around the time of suspected compromise. Additionally, review HTTP request logs for POST requests to plugin installation endpoints with unusual parameters or timing patterns.
Why prioritize this
This vulnerability merits rapid remediation despite not appearing on CISA's KEV list. The HIGH CVSS score, combined with the post-authentication code execution impact and the prevalence of WordPress as a target, makes this a priority for any organization running ThimPress Thim Core. The attack is straightforward to execute if user credentials are available, and the consequences—full server compromise—are severe. Organizations should treat this similarly to a CRITICAL-severity patch if they have multiple admin-level accounts or if their user base includes contractors or vendors.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects: (1) Network accessibility and low attack complexity favor the attacker; (2) Requirement for authenticated access (PR:L) prevents completely unauthenticated exploitation, preventing a 9.0+ rating; (3) Full impact on confidentiality, integrity, and availability (C:H, I:H, A:H) due to unrestricted code execution; (4) No scope escalation required. The HIGH severity rating is appropriate for a post-authentication code execution flaw affecting web applications.
Frequently asked questions
Can an unauthenticated user exploit this vulnerability?
No. The vulnerability requires valid WordPress user credentials to access the admin interface and install plugins. However, if an attacker compromises any user account—admin or otherwise—they may be able to exploit it. The risk is proportional to the number and strength of WordPress user accounts in your installation.
What versions of ThimPress Thim Core are affected?
The vulnerability affects Thim Core through version 2.3.3. Verify your installed version in the WordPress plugin dashboard. A patched version should be available; check the official plugin repository or ThimPress support for the exact version number and installation instructions.
How can I reduce risk before patching?
Restrict plugin installation capabilities to administrators only via WordPress user roles and capabilities management. Use a security plugin to audit plugin installations and disable uploads if possible. Review your user account roster and revoke access for unused or former user accounts. Ensure admin passwords are strong and multi-factor authentication is enabled.
Does the absence from CISA's KEV list mean this isn't being exploited?
CISA's Known Exploited Vulnerabilities catalog represents confirmed exploitation in the wild as of the catalog update date. Absence from the list does not guarantee the vulnerability is unexploited; it may indicate exploitation is not yet documented in that particular database or it is limited to specific sectors. Security teams should treat the CVSS score and technical details as the primary risk indicator.
This analysis is provided for informational purposes to assist security teams in vulnerability assessment and remediation planning. SEC.co does not guarantee the accuracy of version numbers, patch availability, or timelines; these should be verified directly with ThimPress or the WordPress plugin repository. Exploitation severity and likelihood depend on your specific WordPress configuration, user access policies, and security controls. Testing patches in a non-production environment before deployment is strongly recommended. This explainer does not constitute legal advice or guarantee of protection against exploitation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25391HIGHHaPe PKH 1.1 Authorization Bypass – Unauthorized Record Deletion Vulnerability
- CVE-2025-26418HIGHAndroid CarDevicePolicyService Privilege Escalation (CVSS 7.8)
- CVE-2026-10737HIGHWordPress SP Project & Document Manager Unauthenticated File Access Vulnerability
- CVE-2026-31942HIGHLibreChat IDOR Vulnerability Allows Unauthorized API Key Manipulation
- CVE-2026-32905HIGHOpenClaw Device-Pair Authorization Bypass (CVSS 8.3)
- CVE-2026-35630HIGHOpenClaw Authorization Bypass in QQBot Approval Buttons
- CVE-2026-42669HIGHEventPrime Missing Authorization Vulnerability (CVSS 7.5)
- CVE-2026-42670HIGHMissing Authorization in Five Star Restaurant Reservations – Data Exposure Risk