Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in UX-themes Flatsome flatsome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flatsome: from n/a through <= 3.19.6.
AnalysisAI
Insufficient authorization controls in Flatsome theme versions 3.19.6 and earlier allow unauthenticated remote attackers to modify data through improperly configured access restrictions. The vulnerability enables unauthorized modifications without requiring user interaction, potentially compromising content integrity across affected websites.
Technical ContextAI
The vulnerability stems from CWE-862 (Missing Authorization), a class of access control defects where the application fails to properly verify user permissions before granting access to sensitive operations. In the context of the Flatsome theme (CPE identifiable as a WordPress theme component within WooCommerce/WordPress ecosystem), the flaw manifests as incorrectly configured access control security levels that allow unauthenticated or insufficiently privileged users to perform content modification operations. WordPress themes typically rely on WordPress's built-in capability system (wp_current_user(), current_user_can()), nonce verification, and role-based access control; this vulnerability indicates the Flatsome theme failed to properly implement one or more of these authorization checks in its custom functionality, potentially in AJAX endpoints, REST API routes, or theme-specific admin operations.
RemediationAI
Immediately upgrade the Flatsome theme to version 3.19.7 or later via WordPress Admin Dashboard (Appearance > Themes > Flatsome > Update if available), or download the patched version directly from the UX-themes store/marketplace. Verify the update was successful by confirming the version number in theme settings. As an interim measure on systems where immediate patching is not feasible, restrict WordPress administrative and content editing access to trusted IP ranges via firewall or .htaccess rules, disable REST API endpoints if not required (add define('REST_API_ENABLED', false); to wp-config.php), and audit user roles/capabilities to ensure only necessary accounts have content modification permissions. Monitor WordPress audit logs (via security plugins like Wordfence or Sucuri) for unauthorized modification attempts while the patch is being deployed.
Deserialization of Untrusted Data vulnerability in UX-themes Flatsome | Multi-Purpose Responsive WooCommerce Theme.17.5.
Broken access control in the UX-Themes Flatsome WordPress theme (versions up to and including 3.20.5) allows remote unau
Reflected cross-site scripting in the UX-themes Flatsome WordPress/WooCommerce theme (all versions up to and including 3
Broken access control in the Flatsome WordPress theme (versions <= 3.20.5) allows contributor-level authenticated users
The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the UX Countdown, Video Button, UX Vid
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at
Broken access control in Flatsome WordPress theme versions 3.20.5 and earlier allows authenticated subscriber-level user
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11788