Skip to main content

The League CVE-2026-25454

| EUVDEUVD-2026-15732 MEDIUM
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-w6x8-mjqg-7pwv
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15732
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.5

DescriptionCVE.org

Missing Authorization vulnerability in MVPThemes The League the-league allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The League: from n/a through <= 4.4.1.

AnalysisAI

This is a missing authorization vulnerability (CWE-862) in MVPThemes The League WordPress theme affecting versions up to 4.4.1, where incorrectly configured access control security levels allow attackers to bypass authentication mechanisms. An attacker can exploit this broken access control to perform unauthorized actions or access restricted functionality without proper credentials. While no CVSS score or EPSS data is currently available, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15732, indicating active tracking by EU vulnerability databases.

Technical ContextAI

The vulnerability exists in the MVPThemes The League WordPress theme (CPE: cpe:2.3:a:mvpthemes:the_league:*:*:*:*:*:*:*:*), a theme component that runs within WordPress. The root cause is classified under CWE-862 (Missing Authorization), which refers to a situation where the application fails to properly verify that the user performing an action has the necessary privileges or permissions. In WordPress theme context, this typically manifests as incorrectly configured role-based access controls (RBAC) or capability checks in theme functionality, allowing unauthenticated or low-privileged users to access admin-level features, sensitive data, or configuration settings that should require elevated permissions. The broken access control likely affects theme-specific AJAX endpoints, settings pages, or post/page modification functions.

RemediationAI

Immediately upgrade MVPThemes The League theme to the patched version above 4.4.1. To update, navigate to WordPress admin dashboard, go to Appearance > Themes, locate The League theme, and apply the available update (if available from the theme vendor). If no patched version is available from MVPThemes, consider disabling or replacing the theme with an alternative until a patch is released. As an interim mitigation, restrict WordPress admin access by implementing IP whitelisting on the wp-admin directory and wp-login.php endpoints via web server configuration or security plugin, and audit user roles to ensure no unauthorized accounts have administrative capabilities. Consult the vendor advisory at Patchstack (https://patchstack.com) for theme-specific remediation guidance and patch availability status.

Share

CVE-2026-25454 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy