Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-reachable endpoint with no credential or interaction requirement (PR:N/UI:N); impact confined to low integrity writes with no confidentiality or availability consequence, consistent with CWE-862 broken access control.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in WofficeIO Woffice allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Woffice: from n/a before 5.4.33.
AnalysisAI
Broken access control in the WofficeIO Woffice WordPress theme (all versions before 5.4.33) permits unauthenticated remote attackers to exploit incorrectly configured access control security levels, achieving low-impact unauthorized write actions without credentials or user interaction. Discovered and disclosed by Patchstack, the flaw stems from CWE-862 (Missing Authorization), where the theme fails to enforce proper capability checks on specific endpoints. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Any internet-accessible WordPress installation with the Woffice theme active and running a version prior to 5.4.33 is within the attack surface. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 5.3 (Medium) reflects the full remote accessibility (AV:N), low attack complexity (AC:L), and absence of authentication or user interaction requirements (PR:N/UI:N), partially offset by a constrained integrity-only impact (I:L) with no confidentiality or availability consequences (C:N/A:N) and no scope change (S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker identifies a WordPress site running a vulnerable Woffice theme version via passive fingerprinting or active probing, then sends a crafted HTTP request directly to a theme endpoint that lacks proper authorization checks. Because no capability verification is performed, the attacker bypasses the expected access control level and triggers a restricted action - such as modifying theme-controlled data or invoking a privileged function - without supplying credentials. … |
| Remediation | Update the Woffice WordPress theme to version 5.4.33 or later, which resolves the missing authorization flaw per the NVD description. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21.
Missing Authorization vulnerability in WofficeIO Woffice Core allows Accessing Functionality Not Properly Constrained by
The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing
Cross Site Scripting (XSS) vulnerability in WofficeIO Woffice Core allows Reflected XSS.4.8. Rated medium severity (CVSS
The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including,
The Woffice Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40940
GHSA-xw5j-5p2q-fr86