Skip to main content

Flatsome Theme CVE-2026-57730

| EUVDEUVD-2026-41300 MEDIUM
Missing Authorization (CWE-862)
2026-07-02 Patchstack GHSA-5wj4-4cxx-q463
4.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

PR:L confirmed by 'Subscriber' in title; C:L only as no integrity or availability impact is described; AV:N and AC:L per network-accessible WordPress AJAX pattern.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:32 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in Flatsome <= 3.20.5 versions.

AnalysisAI

Broken access control in Flatsome WordPress theme versions 3.20.5 and earlier allows authenticated subscriber-level users to access restricted resources or perform actions beyond their intended authorization. The flaw stems from missing authorization checks (CWE-862) on one or more endpoints or actions within the theme, enabling low-privilege WordPress users to retrieve information they should not be permitted to view. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain subscriber WordPress account
Exploit
Send crafted authenticated request to unprotected theme endpoint
Execution
Bypass missing authorization check
Impact
Read restricted confidential data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session at subscriber privilege level or higher - this is the critical limiting condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS score of 4.3 (Medium) accurately reflects a meaningful but not critical risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or already holds a subscriber account on a WooCommerce-enabled site running Flatsome 3.20.5 or earlier - a common scenario on any store with customer self-registration. The attacker then sends a crafted authenticated HTTP request to a theme-specific endpoint or AJAX action that lacks proper capability checks, retrieving restricted data such as order details, theme configuration, or user information. …
Remediation Update the Flatsome theme to a version released after 3.20.5, which should contain the authorization fix per Patchstack's disclosure at https://patchstack.com/database/wordpress/theme/flatsome/vulnerability/wordpress-flatsome-theme-3-20-5-broken-access-control-vulnerability?_s_id=cve. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57730 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy