Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Mesmerize Companion plugin for WordPress allows unauthorized modification of pages
CVE-2025-12027
Summary
An attacker with subscriber access can modify certain page settings on a WordPress website using the Mesmerize theme. This could lead to changes in page layout and content. Update the Mesmerize Companion plugin to version 1.6.159 or later to fix the issue.
Original title
The Mesmerize Companion plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the "openPageInCustomizer" and "openPageInDefaultEdit...
Original description
The Mesmerize Companion plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the "openPageInCustomizer" and "openPageInDefaultEditor" functions in all versions up to, and including, 1.6.158. This makes it possible for authenticated attackers - with subscriber level access and above, on websites with the Mesmerize theme activated - to mark arbitrary pages as maintainable, wrap their content in custom sections, change page template metadata, and toggle the default editor flag without proper authorization.
nvd CVSS3.1
4.3
Vulnerability type
CWE-862
Missing Authorization
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026