Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Network-reachable WordPress endpoint with no auth required; impact limited to availability per description and CWE-862 scope, no confidentiality or integrity evidence.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in vowelweb VW Wedding vw-wedding allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Wedding: from n/a through <= 1.3.7.
AnalysisAI
Broken access control in the VW Wedding WordPress theme (vowelweb) allows unauthenticated remote attackers to exploit incorrectly configured authorization checks, resulting in limited availability impact against affected WordPress installations. All versions through 1.3.7 are affected per the CPE string cpe:2.3:a:vowelweb:vw_wedding. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target WordPress site to have the VW Wedding theme by vowelweb installed and active in version 1.3.7 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.3 (Medium) reflects a network-reachable (AV:N), low-complexity (AC:L), unauthenticated (PR:N) vector, but the impact metrics are constrained: no confidentiality loss (C:N), no integrity impact (I:N), and only low availability impact (A:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a WordPress site running VW Wedding theme version 1.3.7 or earlier - discoverable via HTTP response headers or source inspection - and sends a crafted HTTP request to a theme-registered endpoint that lacks authorization checks. The missing authorization gate allows the request to succeed without credentials, triggering a restricted operation that results in limited availability degradation of the WordPress instance. … |
| Remediation | No specific fixed version is identified in the available data; no exact patch version can be cited from the provided references. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43395