Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
7DescriptionCVE.org
Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous: from n/a through < 2.1.2.
AnalysisAI
A Missing Authorization vulnerability (CWE-862) exists in the Miraculous theme by kamleshyadav, affecting versions prior to 2.1.2, that allows attackers to bypass access control security levels through incorrectly configured authorization mechanisms. An attacker can exploit this flaw to access restricted functionality or resources that should require proper authentication and authorization checks. While no CVSS score, EPSS data, or KEV status has been publicly assigned, the vulnerability has been documented by Patchstack and carries authentication bypass implications that warrant timely patching.
Technical ContextAI
The Miraculous theme (CPE: cpe:2.3:a:kamleshyadav:miraculous:*:*:*:*:*:*:*:*) is a WordPress theme that implements access control mechanisms to restrict user access to certain features or content based on user roles and permissions. The vulnerability stems from CWE-862 (Missing Authorization), which occurs when software fails to perform authorization checks before allowing access to restricted operations or resources. In the context of WordPress themes, this typically manifests as missing capability checks (current_user_can()) or role validation before executing sensitive actions, allowing authenticated or unauthenticated users to perform operations intended only for administrators or higher-privileged roles. The flaw indicates that the theme's access control configuration does not properly enforce security levels across all sensitive endpoints or functions.
RemediationAI
Immediately upgrade the Miraculous theme to version 2.1.2 or later, which contains the authorization control fixes. This can be performed through the WordPress dashboard by navigating to Appearance > Themes, locating Miraculous, and clicking Update if available, or by manually downloading the patched version from the official source and uploading it via SFTP or WordPress file manager. Until patching is completed, WordPress administrators should review and restrict user role assignments, ensuring that only trusted administrators have elevated capabilities, and consider temporarily disabling the theme if it is not actively in use on critical functionality. Additionally, implement WordPress security hardening measures such as enforcing strong authentication (two-factor authentication via a security plugin), limiting login attempts, and regularly auditing user roles and permissions to detect unauthorized access attempts.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15874
GHSA-w55m-jf9q-fmg9