Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in wproyal Ashe ashe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe: from n/a through <= 2.266.
AnalysisAI
Missing authorization in the Ashe WordPress theme through version 2.266 allows unauthenticated remote attackers to access restricted functionality through incorrectly configured access control security levels. The vulnerability requires user interaction and is limited to low-impact information disclosure, with a CVSS score of 4.3 and minimal exploitation probability (EPSS 0.02%), indicating this is a low-priority authorization bypass rather than a critical vulnerability.
Technical ContextAI
The vulnerability stems from missing authorization checks (CWE-862) in the Ashe WordPress theme, a widely-distributed WordPress theme product identified by CPE cpe:2.3:a:wproyal:ashe:*:*:*:*:*:*:*:*. The root cause involves incorrectly configured access control security levels within the theme's code, allowing sensitive functions to be accessed without proper privilege verification. This is a common class of vulnerability in WordPress themes where developers fail to implement proper capability checks via functions like current_user_can() or equivalent authorization mechanisms before exposing administrative or restricted functionality to the public.
RemediationAI
Update the Ashe WordPress theme to a patched version released after 2.266 from the official Ashe theme repository. Site administrators should access their WordPress theme management dashboard, identify the Ashe theme, and upgrade to the latest available version. As an interim mitigation, restrict theme functionality or disable the affected features if immediate patching is not possible, and monitor access logs for suspicious requests attempting to exploit the authorization bypass. For detailed patch information and validation, consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/ashe/vulnerability/wordpress-ashe-theme-2-266-broken-access-control-vulnerability.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20275
GHSA-jwh4-j4vr-p96c