Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in LiquidThemes Ave Core ave-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ave Core: from n/a through <= 2.9.1.
AnalysisAI
This is a Missing Authorization (Broken Access Control) vulnerability in LiquidThemes Ave Core plugin affecting versions up to 2.9.1, where incorrectly configured access control security levels allow attackers to bypass authentication mechanisms and access protected functionality. The vulnerability, classified under CWE-862, impacts WordPress installations using the affected Ave Core plugin versions. While no CVSS score, EPSS data, or confirmed KEV status is currently available, the Patchstack intelligence indicates this represents an authentication bypass weakness that could enable unauthorized access to administrative or sensitive features without proper privilege escalation.
Technical ContextAI
Ave Core is a WordPress plugin framework developed by LiquidThemes (CPE: cpe:2.3:a:liquidthemes:ave_core:*:*:*:*:*:*:*:*) that provides core theming and functionality for WordPress sites. The vulnerability stems from CWE-862 (Missing Authorization), a root cause classification indicating that the plugin fails to properly enforce access control checks on sensitive operations or resources. Rather than an authentication bypass where users can forge credentials, this vulnerability reflects improperly configured authorization logic—meaning authenticated users or even unauthenticated actors may access functionality they should not have permission to use due to missing or inadequate capability verification checks within the plugin's codebase.
RemediationAI
Upgrade LiquidThemes Ave Core to a version later than 2.9.1 immediately, as the vulnerability affects all versions up to and including 2.9.1. Check the LiquidThemes official repository or Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/ave-core/vulnerability/wordpress-ave-core-plugin-2-9-1-broken-access-control-vulnerability?_s_id=cve) for the latest patched release. Until a patch is available or deployable, restrict access to the WordPress admin panel using IP whitelisting, Web Application Firewall rules targeting suspicious access patterns to Ave Core endpoints, and enforce strong authentication on all administrative accounts. Audit user capabilities and role definitions to ensure no unintended privilege escalation has occurred.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15742
GHSA-5r5h-9j2h-8qf8