Skip to main content

Open Shop CVE-2026-57405

| EUVDEUVD-2026-43476 HIGH
Missing Authorization (CWE-862)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
vuln.today AI
7.1 HIGH

Network-reachable action needs an authenticated low-privileged account (PR:L) with no interaction; missing authorization yields limited integrity tampering (I:L) and high availability disruption (A:H), no data disclosure (C:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:58 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Missing Authorization vulnerability in themehunk Open Shop open-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Open Shop: from n/a through <= 1.7.1.

AnalysisAI

Broken access control in the ThemeHunk Open Shop WordPress theme (versions up to and including 1.7.1) lets an authenticated low-privileged user reach functionality that should be restricted, tampering with data and degrading site availability. Reported by Patchstack and rated CVSS 7.1, the flaw stems from missing authorization checks on a privileged action. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged account
Exploit
Send crafted authenticated request
Execution
Reach action missing capability check
Impact
Tamper data / disrupt availability

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account of at least low privilege (CVSS PR:L) on a site running ThemeHunk Open Shop version 1.7.1 or earlier; no user interaction and no elevated/admin role is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H) describes a network-reachable, low-complexity issue requiring some authentication (PR:L) and no user interaction, with no confidentiality impact, limited integrity impact, and high availability impact - consistent with an authorization gap that lets a low-privileged account disrupt or alter site state rather than read secrets. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a low-privileged WordPress account on a site running Open Shop <= 1.7.1, then sends a crafted authenticated request to the theme action that lacks a capability check, invoking privileged functionality. Because integrity and availability are impacted, this can be used to alter site/store data or push the site into a broken or unavailable state. …
Remediation No vendor-released patch version was identified at time of analysis; the input does not name a fixed release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all WordPress installations to identify those running ThemeHunk Open Shop theme version 1.7.1 or earlier and document current low-privilege user accounts and their permissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57405 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy