Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated remote request (AV:N/PR:N/UI:N/AC:L) triggers a missing authorization check exposing sensitive data, so C:H with no integrity or availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in UX-themes Flatsome flatsome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flatsome: from n/a through <= 3.20.5.
AnalysisAI
Broken access control in the UX-Themes Flatsome WordPress theme (versions up to and including 3.20.5) allows remote unauthenticated attackers to reach functionality or data that should be authorization-gated, resulting in confidentiality-only impact per the CVSS vector. The flaw stems from a missing authorization check (CWE-862) and was catalogued by Patchstack, but there is no public exploit identified at time of analysis and it is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target must be a WordPress site running the Flatsome theme at version 3.20.5 or earlier, reachable over the network (AV:N), with the vulnerable theme feature/endpoint active - which is the default for a normally installed and activated theme. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are moderate and partially incomplete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP request directly to the vulnerable Flatsome theme endpoint that lacks an authorization check, and the theme returns or exposes data that should require a privileged session. Given AV:N/AC:L/PR:N/UI:N, no login, no victim interaction, and only a simple request are needed, though as of this analysis no public exploit code has been identified. |
| Remediation | Upgrade the Flatsome theme to the first release above 3.20.5 that Patchstack/UX-Themes designates as fixed; the exact patched version is not confirmed in the provided data, so verify the current version on the Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/flatsome/vulnerability/wordpress-flatsome-theme-3-20-5-broken-access-control-vulnerability-3) and via the UX-Themes update channel before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all systems running Flatsome theme version 3.20.5 or earlier and assess data sensitivity on affected stores. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Deserialization of Untrusted Data vulnerability in UX-themes Flatsome | Multi-Purpose Responsive WooCommerce Theme.17.5.
Reflected cross-site scripting in the UX-themes Flatsome WordPress/WooCommerce theme (all versions up to and including 3
Broken access control in the Flatsome WordPress theme (versions <= 3.20.5) allows contributor-level authenticated users
The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the UX Countdown, Video Button, UX Vid
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at
Insufficient authorization controls in Flatsome theme versions 3.19.6 and earlier allow unauthenticated remote attackers
Broken access control in Flatsome WordPress theme versions 3.20.5 and earlier allows authenticated subscriber-level user
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43378