Guff WordPress Theme CVE-2026-28076
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Frenify Guff guff allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Guff: from n/a through <= 1.0.1.
AnalysisAI
Unauthorized data disclosure in Frenify Guff WordPress theme versions through 1.0.1 allows unauthenticated remote attackers to access sensitive information via missing authorization controls. The vulnerability exploits incorrectly configured access control security levels, enabling attackers to bypass authentication mechanisms and read confidential data. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability in the wild, with no CISA KEV listing or public exploit code identified at time of analysis.
Technical ContextAI
WordPress themes are PHP-based presentation layer components that control site appearance and functionality. The Guff theme by Frenify contains a missing authorization vulnerability (CWE-862) where access control checks are either absent or improperly implemented on sensitive endpoints or functions. This allows requests to bypass intended authentication gates. WordPress themes commonly expose AJAX handlers, REST API endpoints, or direct PHP file access that should verify user capabilities before processing requests. When authorization checks are missing, these endpoints process requests from any visitor regardless of authentication state. The vulnerability's CVSS vector (AV:N/AC:L/PR:N) confirms the issue is exploitable remotely without authentication or complex preconditions, while the Confidentiality impact (C:H) indicates substantial information exposure risk.
Affected ProductsAI
Frenify Guff WordPress theme versions from earliest release through version 1.0.1 are confirmed affected. The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/guff/vulnerability/wordpress-guff-theme-1-0-1-broken-access-control-vulnerability provides vendor-specific details. All WordPress installations using Guff theme version 1.0.1 or earlier are vulnerable regardless of WordPress core version, as this is a theme-level implementation flaw. The vulnerability affects default theme configurations without requiring special feature enablement.
RemediationAI
Update Frenify Guff theme to a patched version addressing the authorization controls if available from the vendor. Check the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/guff/vulnerability/wordpress-guff-theme-1-0-1-broken-access-control-vulnerability for patch release information. If no patched version is available, implement compensating controls: disable or remove the Guff theme entirely and switch to a maintained alternative WordPress theme, which eliminates the vulnerability with minimal functional impact if the theme is primarily cosmetic. For sites requiring Guff theme features, apply web application firewall rules blocking unauthenticated access to theme-specific AJAX handlers and PHP files in wp-content/themes/guff/ directories, though this requires identifying the exact vulnerable endpoints which may not be publicly documented. Review WordPress user roles and capabilities to ensure the principle of least privilege limits data exposure even if authorization checks fail. Monitor access logs for suspicious requests to theme endpoints from unauthenticated sources as a detection control.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today