Skip to main content

Werkstatt Theme CVE-2026-57689

| EUVDEUVD-2026-41298 MEDIUM
Missing Authorization (CWE-862)
2026-07-02 Patchstack GHSA-69q5-h2w4-49j7
4.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Subscriber authentication required (PR:L) with network delivery; impact is confidentiality-only read access (C:L), no integrity or availability consequence confirmed.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:33 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in Werkstatt <= 4.7.2 versions.

AnalysisAI

Broken access control in the Werkstatt WordPress theme (Fuelthemes) versions 4.7.2 and below allows subscriber-level authenticated users to access functionality or data restricted to higher-privileged roles. The root cause is missing authorization checks (CWE-862), permitting low-privilege WordPress accounts to bypass intended access restrictions and read protected information. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register subscriber account on target WordPress site
Delivery
Authenticate via wp-login.php
Exploit
Identify unprotected theme AJAX or REST endpoint
Execution
Send crafted HTTP request without elevated privilege
Persist
Bypass missing authorization check
Impact
Access restricted confidential data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress user account with at minimum subscriber-level privileges on the target site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.3 (Medium) reflects a constrained but real risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker navigates to a WordPress site running Werkstatt 4.7.2 or earlier with open user registration enabled, creates a subscriber account, and authenticates. The attacker then sends crafted HTTP requests directly to the theme's unprotected AJAX or REST endpoints - requests that the theme fails to gate with a capability check - and retrieves content or data visible only to editors or administrators. …
Remediation Upgrade the Werkstatt theme to a version above 4.7.2 via the WordPress dashboard or by downloading the latest release from the theme vendor. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57689 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy