HIGH 8.8

CVE-2025-53345: ThimPress Thim Core Missing Authorization Leads to Code Execution

ThimPress Thim Core contains a missing authorization vulnerability that allows authenticated users to execute arbitrary code by installing a malicious plugin. An attacker with legitimate user access can bypass security checks intended to restrict plugin installation, enabling them to deploy and run arbitrary code on the affected WordPress installation. This is a post-authentication attack that significantly expands an attacker's capability once they have gained initial user credentials.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-862
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

Missing Authorization vulnerability leading to code execution after installing malicious vulnerable plugin in ThimPress Thim Core. This issue affects Thim Core: from n/a through 2.3.3.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2025-53345 is a CWE-862 (Missing Authorization) vulnerability in ThimPress Thim Core versions through 2.3.3. The vulnerability stems from inadequate authorization checks when handling plugin installation requests. An authenticated user can submit a malicious plugin without proper validation of their permissions, and the system executes the plugin code with insufficient sandboxing or verification. The CVSS 3.1 score of 8.8 (HIGH severity) reflects the combination of network accessibility, low attack complexity, requirement for authenticated access, and the severe impact: full compromise of confidentiality, integrity, and availability on the affected server.

Business impact

Organizations using ThimPress Thim Core face a significant operational risk. If an attacker compromises any user account—whether through credential stuffing, phishing, or insider threat—they can immediately escalate to arbitrary code execution on the web server. This enables data exfiltration, website defacement, malware injection targeting visitors, or lateral movement into the broader network infrastructure. For WordPress-based business websites, this creates a critical supply chain risk if the compromised installation is used to serve content to customers or partners.

Affected systems

ThimPress Thim Core versions up to and including 2.3.3 are affected. Organizations should audit their WordPress installations for this plugin and verify the installed version. The vulnerability requires an authenticated user to trigger, so it does not pose a direct risk to unauthenticated attackers unless user credentials are compromised or accounts have been created for untrusted parties.

Exploitability

Exploitation requires valid user credentials to access the WordPress admin interface. The attack complexity is low—once authenticated, an attacker can craft and upload a malicious plugin without specialized technical knowledge. No user interaction is needed beyond the initial login. The absence of this CVE from CISA's Known Exploited Vulnerabilities catalog does not guarantee the absence of active exploitation; it indicates only that as of the query date, exploitation has not been formally documented in that particular government database.

Remediation

Update ThimPress Thim Core to the patched version released after 2.3.3. Verify the exact patched version by consulting the official ThimPress plugin repository or security advisory. As an interim control pending patching, restrict plugin installation permissions to administrators only, disable plugin upload for non-admin roles if possible, and monitor admin user activity for unauthorized plugin installations.

Patch guidance

Check the WordPress plugin directory or ThimPress's official support channel for the latest version. Update to the first released version after 2.3.3 that addresses CVE-2025-53345. Test the update in a staging environment before deploying to production. Also review and revoke any suspicious plugin installations that may have occurred prior to patching. Document the patch deployment timestamp for audit and compliance records.

Detection guidance

Monitor WordPress admin activity logs for plugin installation events, especially installations initiated by users other than your expected administrators. Alert on any plugin uploads from accounts that do not routinely perform maintenance. Use WordPress security plugins or host-level file integrity monitoring to detect unauthorized PHP files or plugin directories. Search your file system for plugins modified or created around the time of suspected compromise. Additionally, review HTTP request logs for POST requests to plugin installation endpoints with unusual parameters or timing patterns.

Why prioritize this

This vulnerability merits rapid remediation despite not appearing on CISA's KEV list. The HIGH CVSS score, combined with the post-authentication code execution impact and the prevalence of WordPress as a target, makes this a priority for any organization running ThimPress Thim Core. The attack is straightforward to execute if user credentials are available, and the consequences—full server compromise—are severe. Organizations should treat this similarly to a CRITICAL-severity patch if they have multiple admin-level accounts or if their user base includes contractors or vendors.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects: (1) Network accessibility and low attack complexity favor the attacker; (2) Requirement for authenticated access (PR:L) prevents completely unauthenticated exploitation, preventing a 9.0+ rating; (3) Full impact on confidentiality, integrity, and availability (C:H, I:H, A:H) due to unrestricted code execution; (4) No scope escalation required. The HIGH severity rating is appropriate for a post-authentication code execution flaw affecting web applications.

Frequently asked questions

Can an unauthenticated user exploit this vulnerability?

No. The vulnerability requires valid WordPress user credentials to access the admin interface and install plugins. However, if an attacker compromises any user account—admin or otherwise—they may be able to exploit it. The risk is proportional to the number and strength of WordPress user accounts in your installation.

What versions of ThimPress Thim Core are affected?

The vulnerability affects Thim Core through version 2.3.3. Verify your installed version in the WordPress plugin dashboard. A patched version should be available; check the official plugin repository or ThimPress support for the exact version number and installation instructions.

How can I reduce risk before patching?

Restrict plugin installation capabilities to administrators only via WordPress user roles and capabilities management. Use a security plugin to audit plugin installations and disable uploads if possible. Review your user account roster and revoke access for unused or former user accounts. Ensure admin passwords are strong and multi-factor authentication is enabled.

Does the absence from CISA's KEV list mean this isn't being exploited?

CISA's Known Exploited Vulnerabilities catalog represents confirmed exploitation in the wild as of the catalog update date. Absence from the list does not guarantee the vulnerability is unexploited; it may indicate exploitation is not yet documented in that particular database or it is limited to specific sectors. Security teams should treat the CVSS score and technical details as the primary risk indicator.

This analysis is provided for informational purposes to assist security teams in vulnerability assessment and remediation planning. SEC.co does not guarantee the accuracy of version numbers, patch availability, or timelines; these should be verified directly with ThimPress or the WordPress plugin repository. Exploitation severity and likelihood depend on your specific WordPress configuration, user access policies, and security controls. Testing patches in a non-production environment before deployment is strongly recommended. This explainer does not constitute legal advice or guarantee of protection against exploitation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).