Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Network-exposed WordPress theme endpoint with no authorization check enables unauthenticated access; C:N because no data disclosure is described in the vulnerability.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Metro Magazine: from n/a through 1.4.1.
AnalysisAI
Missing authorization controls in the Metro Magazine WordPress theme by Rara Themes (versions through 1.4.1) expose unauthenticated network attackers to restricted theme actions, yielding partial integrity and availability impact without any credential requirement. Rooted in CWE-862 (Missing Authorization), the flaw reflects a broken access control pattern common in WordPress themes that register AJAX or REST endpoints without validating the caller's privilege level. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; EPSS data was not provided in available intelligence.
Technical ContextAI
Metro Magazine is a WordPress theme produced by Rara Themes, identified by CPE cpe:2.3:a:rara_themes:metro_magazine:*:*:*:*:*:*:*:* across all versions through 1.4.1. WordPress themes can register privileged AJAX handlers (wp_ajax_nopriv_*) or REST API endpoints that are reachable without authentication; CWE-862 (Missing Authorization) describes the failure to enforce a capability or nonce check before permitting the requested action. This maps directly to OWASP A01:2021 Broken Access Control. The Patchstack tag 'Authentication Bypass' further confirms that the authorization gate is entirely absent rather than merely weakened, allowing callers at PR:N to exercise functionality intended for higher-privilege roles.
RemediationAI
WordPress administrators should update the Metro Magazine theme to a version beyond 1.4.1 immediately upon vendor release - consult the WordPress theme repository and the Patchstack advisory at https://patchstack.com/database/wordpress/theme/metro-magazine/vulnerability/wordpress-metro-magazine-theme-1-4-1-broken-access-control-vulnerability?_s_id=cve for the confirmed patched release version, which is not explicitly stated in the available intelligence. If a patched version is not yet available, the most effective compensating control is deactivating the Metro Magazine theme and substituting an unaffected theme, eliminating the attack surface entirely. Alternatively, a WordPress-aware WAF solution such as Patchstack Shield or Wordfence with virtual patching rules can block unauthorized requests to the vulnerable endpoints, though this may inadvertently block legitimate theme functionality if rules are not precisely scoped to the affected action.
More in Metro Magazine
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37058
GHSA-57gx-7458-mhwq