Skip to main content

Ashe CVE-2026-39627

| EUVDEUVD-2026-20275 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-jwh4-j4vr-p96c
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20275
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 4.3

DescriptionCVE.org

Missing Authorization vulnerability in wproyal Ashe ashe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe: from n/a through <= 2.266.

AnalysisAI

Missing authorization in the Ashe WordPress theme through version 2.266 allows unauthenticated remote attackers to access restricted functionality through incorrectly configured access control security levels. The vulnerability requires user interaction and is limited to low-impact information disclosure, with a CVSS score of 4.3 and minimal exploitation probability (EPSS 0.02%), indicating this is a low-priority authorization bypass rather than a critical vulnerability.

Technical ContextAI

The vulnerability stems from missing authorization checks (CWE-862) in the Ashe WordPress theme, a widely-distributed WordPress theme product identified by CPE cpe:2.3:a:wproyal:ashe:*:*:*:*:*:*:*:*. The root cause involves incorrectly configured access control security levels within the theme's code, allowing sensitive functions to be accessed without proper privilege verification. This is a common class of vulnerability in WordPress themes where developers fail to implement proper capability checks via functions like current_user_can() or equivalent authorization mechanisms before exposing administrative or restricted functionality to the public.

RemediationAI

Update the Ashe WordPress theme to a patched version released after 2.266 from the official Ashe theme repository. Site administrators should access their WordPress theme management dashboard, identify the Ashe theme, and upgrade to the latest available version. As an interim mitigation, restrict theme functionality or disable the affected features if immediate patching is not possible, and monitor access logs for suspicious requests attempting to exploit the authorization bypass. For detailed patch information and validation, consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/ashe/vulnerability/wordpress-ashe-theme-2-266-broken-access-control-vulnerability.

Share

CVE-2026-39627 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy