Skip to main content

VW Food Corner CVE-2026-57774

| EUVDEUVD-2026-43394 MEDIUM
Missing Authorization (CWE-862)
2026-07-13 Patchstack
5.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
6.5 MEDIUM

Missing authorization in a WordPress theme plausibly enables unauthorized modification of theme settings (I:L), not just availability; C:N as no data exposure is indicated.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:21 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in vowelweb VW Food Corner vw-food-corner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Food Corner: from n/a through <= 1.1.0.

AnalysisAI

Missing authorization controls in the VW Food Corner WordPress theme (versions through 1.1.0) permit unauthenticated remote attackers to invoke restricted theme functionality without valid access credentials, resulting in availability impact. Reported by Patchstack and classified under CWE-862, the flaw stems from incorrectly configured access control levels that fail to verify caller identity or capability before executing protected actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate WordPress site for VW Food Corner theme
Delivery
Identify unguarded AJAX or REST endpoint
Exploit
Send unauthenticated crafted HTTP request
Execution
Bypass absent authorization check
Persist
Trigger restricted theme functionality
Impact
Cause low-severity availability disruption

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress installation has the VW Food Corner theme installed and active at version 1.1.0 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L reflects a remotely exploitable, low-complexity flaw requiring no authentication or user interaction, but with impact capped at low availability only - no confidentiality or integrity degradation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker discovers a WordPress site running VW Food Corner theme version 1.1.0 or earlier - identifiable via page source meta tags or WordPress theme enumeration. The attacker sends a crafted HTTP POST request to the site's wp-admin/admin-ajax.php endpoint (or equivalent REST route) targeting the unprotected theme action, which executes without any authorization check, triggering a minor availability disruption such as resetting theme configuration or invoking a resource-intensive process. …
Remediation No confirmed patched release version has been independently verified from the available data - site operators should check the WordPress.org theme repository and the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/vw-food-corner/vulnerability/wordpress-vw-food-corner-theme-1-1-0-broken-access-control-vulnerability for an updated release beyond 1.1.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57774 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy