Skip to main content

Ave Core CVE-2026-25460

| EUVDEUVD-2026-15742 MEDIUM
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-5r5h-9j2h-8qf8
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15742
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.3

DescriptionCVE.org

Missing Authorization vulnerability in LiquidThemes Ave Core ave-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ave Core: from n/a through <= 2.9.1.

AnalysisAI

This is a Missing Authorization (Broken Access Control) vulnerability in LiquidThemes Ave Core plugin affecting versions up to 2.9.1, where incorrectly configured access control security levels allow attackers to bypass authentication mechanisms and access protected functionality. The vulnerability, classified under CWE-862, impacts WordPress installations using the affected Ave Core plugin versions. While no CVSS score, EPSS data, or confirmed KEV status is currently available, the Patchstack intelligence indicates this represents an authentication bypass weakness that could enable unauthorized access to administrative or sensitive features without proper privilege escalation.

Technical ContextAI

Ave Core is a WordPress plugin framework developed by LiquidThemes (CPE: cpe:2.3:a:liquidthemes:ave_core:*:*:*:*:*:*:*:*) that provides core theming and functionality for WordPress sites. The vulnerability stems from CWE-862 (Missing Authorization), a root cause classification indicating that the plugin fails to properly enforce access control checks on sensitive operations or resources. Rather than an authentication bypass where users can forge credentials, this vulnerability reflects improperly configured authorization logic—meaning authenticated users or even unauthenticated actors may access functionality they should not have permission to use due to missing or inadequate capability verification checks within the plugin's codebase.

RemediationAI

Upgrade LiquidThemes Ave Core to a version later than 2.9.1 immediately, as the vulnerability affects all versions up to and including 2.9.1. Check the LiquidThemes official repository or Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/ave-core/vulnerability/wordpress-ave-core-plugin-2-9-1-broken-access-control-vulnerability?_s_id=cve) for the latest patched release. Until a patch is available or deployable, restrict access to the WordPress admin panel using IP whitelisting, Web Application Firewall rules targeting suspicious access patterns to Ave Core endpoints, and enforce strong authentication on all administrative accounts. Audit user capabilities and role definitions to ensure no unintended privilege escalation has occurred.

Share

CVE-2026-25460 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy