Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in Linethemes NanoCare allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects NanoCare: from n/a before 1.2.2.
AnalysisAI
Missing authorization in the NanoCare WordPress theme (Linethemes) before version 1.2.2 permits low-privileged authenticated users to exploit incorrectly configured access control levels, resulting in limited integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) confirms network-accessible exploitation requiring only a low-privilege account with no user interaction. No public exploit code exists and no active exploitation has been confirmed; EPSS at 0.04% (11th percentile) and SSVC exploitation status of 'none' indicate this is currently a theoretical rather than actively weaponized risk.
Technical ContextAI
NanoCare is a WordPress theme developed by Linethemes, identified via CPE cpe:2.3:a:linethemes:nanocare:*:*:*:*:*:*:*:*. The root cause is CWE-862 (Missing Authorization), a class of flaw where the application performs sensitive operations without verifying that the requesting authenticated principal has the necessary permissions. In the WordPress context, this typically manifests as theme-registered REST API endpoints, AJAX handlers, or admin-facing actions that fail to implement capability checks (e.g., via current_user_can()), allowing any logged-in user - including subscribers or customers - to invoke functionality intended for administrators or editors. The scope is unchanged (S:U), suggesting the impact is contained within the WordPress application boundary rather than breaking out to the underlying host.
RemediationAI
Vendor-released patch: NanoCare version 1.2.2. Site administrators should update the NanoCare theme to 1.2.2 or later immediately via the WordPress dashboard or by downloading from the theme vendor. The Patchstack advisory (https://patchstack.com/database/wordpress/theme/nanocare/vulnerability/wordpress-nanocare-theme-1-2-2-broken-access-control-vulnerability) documents the fix. If an immediate upgrade is not feasible, a compensating control is to restrict WordPress user registration and limit the lowest-privileged role (e.g., Subscriber) from accessing the site until patched - note this may impact legitimate user workflows. Web application firewall rules targeting unanticipated theme AJAX or REST API calls from low-privilege accounts can reduce exposure but are not a substitute for patching.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31753
GHSA-5gwj-3vhg-r8mv