Skip to main content

Woffice CVE-2026-27435

| EUVDEUVD-2026-40940 MEDIUM
Missing Authorization (CWE-862)
2026-07-01 Patchstack GHSA-xw5j-5p2q-fr86
5.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable endpoint with no credential or interaction requirement (PR:N/UI:N); impact confined to low integrity writes with no confidentiality or availability consequence, consistent with CWE-862 broken access control.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jul 01, 2026 - 11:16 EUVD
Analysis Generated
Jul 01, 2026 - 09:51 vuln.today
CVE Published
Jul 01, 2026 - 08:50 cve.org
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in WofficeIO Woffice allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Woffice: from n/a before 5.4.33.

AnalysisAI

Broken access control in the WofficeIO Woffice WordPress theme (all versions before 5.4.33) permits unauthenticated remote attackers to exploit incorrectly configured access control security levels, achieving low-impact unauthorized write actions without credentials or user interaction. Discovered and disclosed by Patchstack, the flaw stems from CWE-862 (Missing Authorization), where the theme fails to enforce proper capability checks on specific endpoints. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running vulnerable Woffice theme
Exploit
Send unauthenticated HTTP request to unprotected theme endpoint
Execution
Bypass missing authorization check
Impact
Execute unauthorized low-impact write action within theme functionality

Vulnerability AssessmentAI

Exploitation Any internet-accessible WordPress installation with the Woffice theme active and running a version prior to 5.4.33 is within the attack surface. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 5.3 (Medium) reflects the full remote accessibility (AV:N), low attack complexity (AC:L), and absence of authentication or user interaction requirements (PR:N/UI:N), partially offset by a constrained integrity-only impact (I:L) with no confidentiality or availability consequences (C:N/A:N) and no scope change (S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker identifies a WordPress site running a vulnerable Woffice theme version via passive fingerprinting or active probing, then sends a crafted HTTP request directly to a theme endpoint that lacks proper authorization checks. Because no capability verification is performed, the attacker bypasses the expected access control level and triggers a restricted action - such as modifying theme-controlled data or invoking a privileged function - without supplying credentials. …
Remediation Update the Woffice WordPress theme to version 5.4.33 or later, which resolves the missing authorization flaw per the NVD description. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-27435 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy