Skip to main content

Flatsome CVE-2026-57729

| EUVDEUVD-2026-43378 HIGH
Missing Authorization (CWE-862)
2026-07-13 Patchstack
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated remote request (AV:N/PR:N/UI:N/AC:L) triggers a missing authorization check exposing sensitive data, so C:H with no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:42 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.5

DescriptionCVE.org

Missing Authorization vulnerability in UX-themes Flatsome flatsome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flatsome: from n/a through <= 3.20.5.

AnalysisAI

Broken access control in the UX-Themes Flatsome WordPress theme (versions up to and including 3.20.5) allows remote unauthenticated attackers to reach functionality or data that should be authorization-gated, resulting in confidentiality-only impact per the CVSS vector. The flaw stems from a missing authorization check (CWE-862) and was catalogued by Patchstack, but there is no public exploit identified at time of analysis and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Flatsome ≤ 3.20.5
Exploit
Send unauthenticated request to unprotected theme endpoint
Execution
Bypass missing authorization check
Impact
Retrieve exposed sensitive data

Vulnerability AssessmentAI

Exploitation The target must be a WordPress site running the Flatsome theme at version 3.20.5 or earlier, reachable over the network (AV:N), with the vulnerable theme feature/endpoint active - which is the default for a normally installed and activated theme. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderate and partially incomplete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request directly to the vulnerable Flatsome theme endpoint that lacks an authorization check, and the theme returns or exposes data that should require a privileged session. Given AV:N/AC:L/PR:N/UI:N, no login, no victim interaction, and only a simple request are needed, though as of this analysis no public exploit code has been identified.
Remediation Upgrade the Flatsome theme to the first release above 3.20.5 that Patchstack/UX-Themes designates as fixed; the exact patched version is not confirmed in the provided data, so verify the current version on the Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/flatsome/vulnerability/wordpress-flatsome-theme-3-20-5-broken-access-control-vulnerability-3) and via the UX-Themes update channel before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems running Flatsome theme version 3.20.5 or earlier and assess data sensitivity on affected stores. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57729 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy