Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in TeconceTheme Mayosis Core allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Mayosis Core: from n/a through 5.4.7.
AnalysisAI
Missing authorization in the Mayosis Core WordPress plugin (versions through 5.4.7) by TeconceTheme allows unauthenticated remote attackers to exploit incorrectly configured access control security levels, resulting in unauthorized modification of data (integrity impact). The CVSS vector confirms no authentication or user interaction is required, and the vulnerability is network-exploitable against default configurations. No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Technical ContextAI
Mayosis Core is a WordPress plugin developed by TeconceTheme, identified by CPE cpe:2.3:a:teconcetheme:mayosis_core:*:*:*:*:*:*:*:*. The root cause is CWE-862 (Missing Authorization): the plugin performs privileged or restricted operations without properly verifying that the requesting user holds the necessary authorization level. This class of vulnerability typically arises when WordPress REST API endpoints, AJAX handlers, or admin-facing callbacks are registered without nonce verification, capability checks (e.g., current_user_can()), or equivalent access control enforcement, allowing any caller - authenticated or not - to trigger functionality that should be restricted. The tag 'Authentication Bypass' further confirms that authorization gates are either absent or bypassable at the access control layer.
RemediationAI
Update Mayosis Core to a version above 5.4.7 as soon as a patched release is confirmed available via the WordPress plugin repository or the TeconceTheme vendor channel. The Patchstack advisory (https://patchstack.com/database/wordpress/plugin/mayosis-core/vulnerability/wordpress-mayosis-core-plugin-5-4-7-broken-access-control-vulnerability) should be monitored for patch version confirmation, as no exact fixed version number was present in the available data at time of analysis. If an immediate update is not possible, a compensating control is to temporarily deactivate the Mayosis Core plugin to eliminate the attack surface entirely - note this will disable associated theme functionality. As a secondary workaround, a WordPress web application firewall (e.g., Patchstack, Wordfence) with virtual patching rules for this CVE can block exploitation attempts without requiring plugin deactivation. No patch version has been independently confirmed from available data; do not assume versions above 5.4.7 are safe without vendor confirmation.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31801
GHSA-hpcp-j63f-vvmq