Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in SpabRice Mogi mogi allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mogi: from n/a through <= 1.2.3.
AnalysisAI
SpabRice Mogi theme versions through 1.2.3 fail to properly enforce authorization controls, allowing unauthenticated remote attackers to access restricted functionality due to incorrectly configured access control security levels. The vulnerability has a CVSS score of 5.3 with low confidentiality impact but no integrity or availability impact. EPSS exploitation probability is minimal at 0.02%, and no public exploit code or active exploitation has been identified.
Technical ContextAI
The vulnerability stems from missing authorization checks (CWE-862) in the SpabRice Mogi theme, a WordPress theme product identified via CPE cpe:2.3:a:spabrice:mogi:*:*:*:*:*:*:*:*. The root cause involves incorrectly configured access control security levels that fail to validate user privileges before allowing access to sensitive functionality. This authorization flaw allows an attacker to bypass intended access restrictions and retrieve information that should be protected, consistent with the confidentiality impact indicated in the CVSS vector. The issue appears related to shortcode execution handling based on reference documentation, suggesting the theme's custom functionality lacks proper privilege validation mechanisms.
RemediationAI
Site administrators should upgrade the Mogi theme to a version newer than 1.2.3 as soon as patched versions are released by SpabRice. Detailed remediation and patch availability should be confirmed via the official SpabRice advisory and the Patchstack vulnerability database (https://patchstack.com/database/Wordpress/Theme/mogi/vulnerability/wordpress-mogi-theme-1-2-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve). In the interim, administrators should restrict access to affected theme functionality through WordPress user role management and disable or limit shortcode usage if the plugin supports such controls. Verify patch status and exact fix versions through the theme vendor's official release notes before deployment.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20294
GHSA-vvr2-x7rw-p62r