Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in raratheme Preschool and Kindergarten preschool-and-kindergarten allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Preschool and Kindergarten: from n/a through <= 1.2.5.
AnalysisAI
Improperly configured access controls in the Preschool and Kindergarten plugin (versions up to 1.2.5) allow unauthenticated attackers to modify content or settings without proper authorization. This missing authorization vulnerability affects websites using the vulnerable plugin and could enable unauthorized data tampering. No security patch is currently available for this vulnerability.
Technical ContextAI
The vulnerability stems from CWE-862 (Missing Authorization), a common WordPress plugin flaw where access control checks are either absent or misconfigured at critical function entry points. The raratheme Preschool and Kindergarten plugin (CPE identifier: cpe:2.3:a:raratheme:preschool_and_kindergarten) fails to validate user capabilities or enforce proper permission checks before processing sensitive operations. This is typical of WordPress security oversights where developers neglect to use functions like current_user_can() or do_action() hooks with proper nonce verification before executing administrative or content-modification functions. The plugin architecture likely exposes AJAX handlers, REST API endpoints, or direct function calls without proper authorization gates, allowing an unauthenticated actor to directly invoke privileged operations.
RemediationAI
Immediately upgrade the Preschool and Kindergarten plugin to the patched version released by raratheme (version 1.2.6 or later if available; verify the exact patch version on the official plugin repository or raratheme website). To upgrade, navigate to WordPress Dashboard > Plugins > Preschool and Kindergarten, click Update, and confirm. If no patch is yet available or the theme is no longer maintained, temporarily disable the plugin and switch to a maintained alternative theme until a security update is released. As a interim measure, restrict WordPress admin access via IP whitelisting using a Web Application Firewall or .htaccess rules, enforce strong authentication via a security plugin like Wordfence, and monitor site activity logs for unauthorized content modifications. Ensure WordPress core, all plugins, and themes are kept current with security updates going forward.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11816