Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in raratheme Numinous numinous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Numinous: from n/a through <= 1.3.0.
AnalysisAI
Numinous theme versions up to 1.3.0 contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability affects the theme's security implementation and could enable unauthorized changes to application data without authentication. No patch is currently available for this issue.
Technical ContextAI
This vulnerability is classified as CWE-862 (Missing Authorization), which represents a fundamental access control failure where security mechanisms fail to properly verify user permissions before allowing sensitive operations. The affected product is the Numinous theme by raratheme, a WordPress theme that likely implements custom post types, settings pages, or REST API endpoints without adequate capability checks. The vulnerability suggests that functions handling content modification or configuration changes are missing WordPress nonce verification or role-based capability checks (wp_verify_nonce(), current_user_can()), allowing any network-based actor to trigger administrative actions. The issue spans from an unspecified initial version through Numinous 1.3.0, indicating the flaw existed through at least the 1.3.0 release cycle.
RemediationAI
Upgrade the Numinous theme to a patched version greater than 1.3.0 as soon as a fix is released by raratheme. Check the official raratheme website or WordPress.org theme repository for version 1.3.1 or later. Until a patch is available, implement server-level access controls by restricting theme functionality endpoints using a Web Application Firewall (WAF) to block requests to suspicious theme action hooks, or temporarily disable the Numinous theme and switch to an alternative WordPress theme. Additionally, monitor WordPress logs for unauthorized POST requests to admin-ajax.php or REST API endpoints associated with the theme, and consider implementing a WordPress security plugin (such as Wordfence or Sucuri) to add integrity monitoring and access control hardening. For production environments with critical data, isolate the affected WordPress installation behind additional authentication layers or disable public access until patching is completed.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11883