Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in MVPThemes The League the-league allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The League: from n/a through <= 4.4.1.
AnalysisAI
This is a missing authorization vulnerability (CWE-862) in MVPThemes The League WordPress theme affecting versions up to 4.4.1, where incorrectly configured access control security levels allow attackers to bypass authentication mechanisms. An attacker can exploit this broken access control to perform unauthorized actions or access restricted functionality without proper credentials. While no CVSS score or EPSS data is currently available, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15732, indicating active tracking by EU vulnerability databases.
Technical ContextAI
The vulnerability exists in the MVPThemes The League WordPress theme (CPE: cpe:2.3:a:mvpthemes:the_league:*:*:*:*:*:*:*:*), a theme component that runs within WordPress. The root cause is classified under CWE-862 (Missing Authorization), which refers to a situation where the application fails to properly verify that the user performing an action has the necessary privileges or permissions. In WordPress theme context, this typically manifests as incorrectly configured role-based access controls (RBAC) or capability checks in theme functionality, allowing unauthenticated or low-privileged users to access admin-level features, sensitive data, or configuration settings that should require elevated permissions. The broken access control likely affects theme-specific AJAX endpoints, settings pages, or post/page modification functions.
RemediationAI
Immediately upgrade MVPThemes The League theme to the patched version above 4.4.1. To update, navigate to WordPress admin dashboard, go to Appearance > Themes, locate The League theme, and apply the available update (if available from the theme vendor). If no patched version is available from MVPThemes, consider disabling or replacing the theme with an alternative until a patch is released. As an interim mitigation, restrict WordPress admin access by implementing IP whitelisting on the wp-admin directory and wp-login.php endpoints via web server configuration or security plugin, and audit user roles to ensure no unauthorized accounts have administrative capabilities. Consult the vendor advisory at Patchstack (https://patchstack.com) for theme-specific remediation guidance and patch availability status.
More in The League
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15732
GHSA-w6x8-mjqg-7pwv