Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Magazine X: from n/a through <= 1.2.50.
AnalysisAI
A missing authorization vulnerability in the WordPress News Magazine X theme (versions up to 1.2.50) allows attackers to bypass access control mechanisms and exploit incorrectly configured security levels. This broken access control issue, classified under CWE-862, enables unauthorized users to access restricted functionality or resources that should require proper authentication or authorization. The vulnerability affects all installations of News Magazine X theme through version 1.2.50, and remediation requires immediate theme updates to patched versions.
Technical ContextAI
News Magazine X is a WordPress theme distributed through the WordPress ecosystem, as identified by CPE cpe:2.3:a:wproyal:news_magazine_x:*:*:*:*:*:*:*:*. The vulnerability stems from improper implementation of WordPress access control functions, likely missing or inadequate capability checks in theme functions, filters, or AJAX handlers. CWE-862 (Missing Authorization) indicates that the theme fails to enforce proper authorization checks before allowing sensitive operations, meaning the application trusts user input or session data without verifying that users have the appropriate permissions to perform requested actions. In WordPress context, this typically manifests as missing checks for current_user_can() or similar authorization functions before executing privileged operations, allowing lower-privilege users or unauthenticated attackers to perform actions restricted to administrators or editors.
RemediationAI
Immediately upgrade the News Magazine X theme to a version higher than 1.2.50, which should contain the authorization fixes. Users should navigate to WordPress dashboard, go to Appearance > Themes, locate News Magazine X, and click Update if available, or manually download and install the patched version from the official WordPress theme repository or WPRoyal's official distribution channel. As a temporary mitigation while waiting for patches, restrict theme access by enforcing strict WordPress user role management and capability filters, disabling any custom theme functionality that handles sensitive operations until patches are confirmed, and monitoring theme function execution logs for suspicious authorization-bypass attempts. Review user permissions and ensure only trusted administrators have access to theme customization options. For installations where prompt patching is not possible, consider temporarily switching to an alternative theme and re-enabling News Magazine X only after patching verification.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15574
GHSA-jf2q-cv58-j965