Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in kutethemes Biolife biolife allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Biolife: from n/a through <= 3.2.3.
AnalysisAI
Incorrectly configured access control in kutethemes Biolife WordPress theme version 3.2.3 and earlier allows unauthenticated remote attackers to bypass authorization checks and modify content via arbitrary shortcode execution. The vulnerability requires no authentication and can be exploited over the network with low complexity, affecting the integrity of web content served to visitors. EPSS score of 0.02% indicates minimal real-world exploitation probability despite network-accessible attack vector.
Technical ContextAI
The kutethemes Biolife theme implements shortcode functionality in WordPress without proper authorization validation (CWE-862: Missing Authorization). Shortcodes are WordPress's mechanism for embedding dynamic content via simple markup tags. The vulnerability stems from inadequate access control checks when processing these shortcode requests, allowing unauthenticated users to execute shortcodes that should be restricted to administrators or editors. WordPress themes typically filter user input through the do_shortcode() function; improper permission checking before executing shortcode callbacks creates this exposure. The affected component is the theme's shortcode handler logic, which fails to verify user capabilities (administrator, editor, contributor roles) before executing theme-specific shortcodes that can modify or inject content.
RemediationAI
Upgrade kutethemes Biolife theme to version 3.2.4 or later, which includes authorization checks for shortcode execution. Site administrators should navigate to WordPress Dashboard → Appearance → Themes, locate Biolife in the theme list, and select 'Update' if available, or manually download the latest version from the theme vendor and upload via SFTP or WordPress theme upload interface. Until patched, temporarily disable the Biolife theme or replace it with an alternative theme that has been audited for authorization vulnerabilities. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/biolife/vulnerability/wordpress-biolife-theme-3-2-3-arbitrary-shortcode-execution-vulnerability) for confirmation of patch availability and any interim guidance from kutethemes.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20268