Skip to main content

Mogi CVE-2026-39637

| EUVDEUVD-2026-20294 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-vvr2-x7rw-p62r
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20294
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in SpabRice Mogi mogi allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mogi: from n/a through <= 1.2.3.

AnalysisAI

SpabRice Mogi theme versions through 1.2.3 fail to properly enforce authorization controls, allowing unauthenticated remote attackers to access restricted functionality due to incorrectly configured access control security levels. The vulnerability has a CVSS score of 5.3 with low confidentiality impact but no integrity or availability impact. EPSS exploitation probability is minimal at 0.02%, and no public exploit code or active exploitation has been identified.

Technical ContextAI

The vulnerability stems from missing authorization checks (CWE-862) in the SpabRice Mogi theme, a WordPress theme product identified via CPE cpe:2.3:a:spabrice:mogi:*:*:*:*:*:*:*:*. The root cause involves incorrectly configured access control security levels that fail to validate user privileges before allowing access to sensitive functionality. This authorization flaw allows an attacker to bypass intended access restrictions and retrieve information that should be protected, consistent with the confidentiality impact indicated in the CVSS vector. The issue appears related to shortcode execution handling based on reference documentation, suggesting the theme's custom functionality lacks proper privilege validation mechanisms.

RemediationAI

Site administrators should upgrade the Mogi theme to a version newer than 1.2.3 as soon as patched versions are released by SpabRice. Detailed remediation and patch availability should be confirmed via the official SpabRice advisory and the Patchstack vulnerability database (https://patchstack.com/database/Wordpress/Theme/mogi/vulnerability/wordpress-mogi-theme-1-2-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve). In the interim, administrators should restrict access to affected theme functionality through WordPress user role management and disable or limit shortcode usage if the plugin supports such controls. Verify patch status and exact fix versions through the theme vendor's official release notes before deployment.

Share

CVE-2026-39637 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy