CVE-2025-4797 CRITICAL

CVE-2025-4797: Golo <= 1.7.0 - Authentication Bypass to Account Takeover

Vendor Uxper
Product Golo - City Travel Guide WordPress Theme
Weakness CWE-288
Published June 3, 2025
Last update April 8, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. This is due to the plugin not properly validating a user's identity prior to setting an authorization cookie. This makes it possible for unauthenticated attackers to log in as any user, including administrators, provided they know the user's email address. CVE-2025-54725 is likely a duplicate of this issue.

Explanation of Vulnerability in Simple Terms

02Summary

The Golo City Travel Guide WordPress theme versions 1.7.0 and earlier contain an authentication bypass vulnerability. An attacker can gain unauthorized access to the site without valid credentials. The vulnerability requires no user interaction and can be exploited remotely over the network. Site administrators should update immediately to a patched version.

What an attacker can do

03Attacker Capabilities

Gain full unauthorized access to the WordPress site without valid login credentials.

Potential impact on your site

04Site Impact

Attackers can read, modify, or delete all site data, install malicious code, and take complete control of your WordPress installation.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 3, 2025 CVE published
April 8, 2026 Record updated