Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Subscriber authentication required (PR:L) with network delivery; impact is confidentiality-only read access (C:L), no integrity or availability consequence confirmed.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Broken Access Control in Werkstatt <= 4.7.2 versions.
AnalysisAI
Broken access control in the Werkstatt WordPress theme (Fuelthemes) versions 4.7.2 and below allows subscriber-level authenticated users to access functionality or data restricted to higher-privileged roles. The root cause is missing authorization checks (CWE-862), permitting low-privilege WordPress accounts to bypass intended access restrictions and read protected information. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress user account with at minimum subscriber-level privileges on the target site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.3 (Medium) reflects a constrained but real risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker navigates to a WordPress site running Werkstatt 4.7.2 or earlier with open user registration enabled, creates a subscriber account, and authenticates. The attacker then sends crafted HTTP requests directly to the theme's unprotected AJAX or REST endpoints - requests that the theme fails to gate with a capability check - and retrieves content or data visible only to editors or administrators. … |
| Remediation | Upgrade the Werkstatt theme to a version above 4.7.2 via the WordPress dashboard or by downloading the latest release from the theme vendor. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
PHP Object Injection in the Werkstatt WordPress theme (fuelthemes) through version 4.8.3 lets a Contributor-level user p
Cross-Site Request Forgery in the Werkstatt WordPress theme (FuelThemes) version 4.7.2 and earlier allows remote unauthe
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41298
GHSA-69q5-h2w4-49j7