Skip to main content

Martfury Theme CVE-2026-57685

| EUVDEUVD-2026-41294 MEDIUM
Missing Authorization (CWE-862)
2026-07-02 Patchstack GHSA-4whc-9fj9-8jg8
4.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Subscriber authentication confirmed by vulnerability title and PR:L; network vector and low integrity-only impact align with missing authorization on a theme endpoint.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 12:33 vuln.today
CVE Published
Jul 02, 2026 - 11:15 cve.org
MEDIUM 4.3

DescriptionCVE.org

Subscriber Broken Access Control in Martfury - WooCommerce Marketplace WordPress Theme <= 3.2.8 versions.

AnalysisAI

Broken access control in Martfury WooCommerce Marketplace WordPress Theme (versions <= 3.2.8) permits authenticated subscriber-level users to invoke functionality restricted to higher-privilege roles, achieving unauthorized integrity modifications. The flaw is rooted in CWE-862 (Missing Authorization), where theme-controlled endpoints or action handlers fail to verify that the requesting user holds sufficient capabilities beyond basic authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register subscriber account on marketplace
Delivery
Identify theme endpoint lacking authorization check
Exploit
Send crafted authenticated request to endpoint
Execution
Bypass missing capability verification
Impact
Execute unauthorized integrity-impacting operation

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid subscriber-level WordPress account on the target site - confirmed by the CVSS PR:L metric and the vulnerability title naming subscriber as the exploiting role. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.3 (Medium) reflects network accessibility (AV:N), low complexity (AC:L), low privilege requirement (PR:L), no user interaction (UI:N), unchanged scope, and integrity-only impact (I:L, C:N, A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on the target WooCommerce marketplace, then sends a crafted authenticated HTTP request to a theme-registered AJAX handler or REST endpoint that omits authorization checks. Because no capability check gates the operation, the subscriber's request is processed as if it originated from a privileged user, allowing unauthorized modification of marketplace data such as product listings, orders, or vendor settings. …
Remediation Upgrade the Martfury WooCommerce Marketplace WordPress Theme beyond version 3.2.8 by consulting the Patchstack advisory (https://patchstack.com/database/wordpress/theme/martfury/vulnerability/wordpress-martfury-woocommerce-marketplace-wordpress-theme-theme-3-2-8-broken-access-control-vulnerability) for the exact patched release version - an explicit fix version was not confirmed in the available input data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57685 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy