Skip to main content

Education Base CVE-2026-39622

| EUVDEUVD-2026-20264 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-37w7-m62f-9cgm
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:42 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20264
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in acmethemes Education Base education-base allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Education Base: from n/a through <= 3.0.8.

AnalysisAI

Missing authorization controls in acmethemes Education Base WordPress theme (versions through 3.0.8) allow unauthenticated remote attackers to modify content via incorrectly configured access control checks. The vulnerability affects the theme's access control security levels, enabling attackers to bypass authentication mechanisms and alter data on vulnerable installations. With an EPSS score of 0.02% and no confirmed active exploitation, the real-world risk remains low despite the network-accessible attack vector.

Technical ContextAI

The Education Base WordPress theme (CPE:cpe:2.3:a:acmethemes:education_base:*:*:*:*:*:*:*:*) implements custom access control mechanisms that fail to properly validate user permissions before allowing sensitive operations. The vulnerability falls under CWE-862 (Missing Authorization), a fundamental flaw in the theme's security architecture where authorization checks are either absent, bypassed, or misconfigured. This allows the theme's functionality to be exploited when access control security levels are not properly enforced, regardless of intended role-based restrictions. The issue exists in the core theme code responsible for managing user capabilities and endpoint access.

RemediationAI

Update the Education Base theme to version 3.0.9 or later when released, as the current vulnerability affects all versions through 3.0.8. Site administrators using Education Base should immediately navigate to the WordPress dashboard, access Appearance > Themes, and upgrade to the patched version once available from the theme repository or acmethemes directly. Until a patch is released, implement content role restrictions at the WordPress core level using role-based plugins and disable unnecessary theme functionality through theme settings or security plugins that enforce access control policies. Refer to the Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Theme/education-base/vulnerability/wordpress-education-base-theme-3-0-8-broken-access-control-vulnerability) for vendor communications and additional mitigation guidance.

Share

CVE-2026-39622 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy