Skip to main content

Guff WordPress Theme CVE-2026-28076

HIGH
Missing Authorization (CWE-862)
2026-03-05 audit@patchstack.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Updated
Apr 23, 2026 - 00:39 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 06:16 nvd
HIGH 7.5

DescriptionCVE.org

Missing Authorization vulnerability in Frenify Guff guff allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Guff: from n/a through <= 1.0.1.

AnalysisAI

Unauthorized data disclosure in Frenify Guff WordPress theme versions through 1.0.1 allows unauthenticated remote attackers to access sensitive information via missing authorization controls. The vulnerability exploits incorrectly configured access control security levels, enabling attackers to bypass authentication mechanisms and read confidential data. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability in the wild, with no CISA KEV listing or public exploit code identified at time of analysis.

Technical ContextAI

WordPress themes are PHP-based presentation layer components that control site appearance and functionality. The Guff theme by Frenify contains a missing authorization vulnerability (CWE-862) where access control checks are either absent or improperly implemented on sensitive endpoints or functions. This allows requests to bypass intended authentication gates. WordPress themes commonly expose AJAX handlers, REST API endpoints, or direct PHP file access that should verify user capabilities before processing requests. When authorization checks are missing, these endpoints process requests from any visitor regardless of authentication state. The vulnerability's CVSS vector (AV:N/AC:L/PR:N) confirms the issue is exploitable remotely without authentication or complex preconditions, while the Confidentiality impact (C:H) indicates substantial information exposure risk.

Affected ProductsAI

Frenify Guff WordPress theme versions from earliest release through version 1.0.1 are confirmed affected. The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/guff/vulnerability/wordpress-guff-theme-1-0-1-broken-access-control-vulnerability provides vendor-specific details. All WordPress installations using Guff theme version 1.0.1 or earlier are vulnerable regardless of WordPress core version, as this is a theme-level implementation flaw. The vulnerability affects default theme configurations without requiring special feature enablement.

RemediationAI

Update Frenify Guff theme to a patched version addressing the authorization controls if available from the vendor. Check the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/guff/vulnerability/wordpress-guff-theme-1-0-1-broken-access-control-vulnerability for patch release information. If no patched version is available, implement compensating controls: disable or remove the Guff theme entirely and switch to a maintained alternative WordPress theme, which eliminates the vulnerability with minimal functional impact if the theme is primarily cosmetic. For sites requiring Guff theme features, apply web application firewall rules blocking unauthenticated access to theme-specific AJAX handlers and PHP files in wp-content/themes/guff/ directories, though this requires identifying the exact vulnerable endpoints which may not be publicly documented. Review WordPress user roles and capabilities to ensure the principle of least privilege limits data exposure even if authorization checks fail. Monitor access logs for suspicious requests to theme endpoints from unauthenticated sources as a detection control.

Share

CVE-2026-28076 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy