Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in raratheme Rara Business rara-business allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rara Business: from n/a through <= 1.3.0.
AnalysisAI
Rara Business WordPress theme version 1.3.0 and earlier contains an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability requires no user interaction and can be exploited over the network, though no patch is currently available. Affected installations should implement additional access control measures or upgrade when patches become available.
Technical ContextAI
The Rara Business theme for WordPress (CPE: cpe:2.3:a:raratheme:rara_business) implements authorization checks that fail to properly validate user permissions before allowing modifications to protected resources. This represents a classic CWE-862 (Missing Authorization) vulnerability where the application performs an action on behalf of the user without verifying they have the appropriate permissions. The vulnerability is rooted in the theme's access control security levels being incorrectly configured, likely affecting REST API endpoints, admin AJAX handlers, or custom action hooks that should restrict operations to authenticated administrators but fail to do so. The issue affects all installations of Rara Business through version 1.3.0.
RemediationAI
Upgrade Rara Business theme to a version newer than 1.3.0 that includes the authorization fix; check the official Rara Theme project or WordPress.org theme directory for the patched version. If immediate patching is not possible, apply WordPress security hardening measures including limiting REST API access through authentication plugins, disabling unnecessary theme custom endpoints via code modifications, and restricting administrative access to trusted IP ranges through firewall rules. Additionally, audit WordPress user roles and capabilities to ensure only trusted administrators have content modification permissions, and implement security monitoring to detect unauthorized modification attempts.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11814