Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in EnvoThemes Envo Extra envo-extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Envo Extra: from n/a through <= 1.9.13.
AnalysisAI
Envo Extra through version 1.9.13 contains an authorization bypass that allows authenticated attackers to access or modify sensitive data due to improperly configured access controls. An attacker with valid credentials can exploit this vulnerability to perform unauthorized actions within the plugin. No patch is currently available, and the vulnerability has not been confirmed as actively exploited.
Technical ContextAI
This vulnerability is classified as CWE-862 (Missing Authorization), a common web application security flaw where access control checks are either absent or improperly implemented. The Envo Extra plugin, which provides extended functionality for EnvoThemes WordPress themes (CPE: cpe:2.3:a:envothemes:envo-extra), fails to properly validate user permissions before allowing access to sensitive operations or data. The plugin runs within the WordPress ecosystem and likely lacks proper capability checks (such as current_user_can() in WordPress) when handling authenticated requests, allowing users with the 'subscriber' or 'contributor' role to perform actions restricted to 'editor' or 'administrator' roles. This represents a horizontal privilege escalation vulnerability where authenticated attackers can laterally access resources beyond their intended scope.
RemediationAI
Immediately upgrade EnvoThemes Envo Extra to a patched version beyond 1.9.13 (check the official EnvoThemes website or WordPress plugin repository for the latest stable release). If an immediate patch is not available from the vendor, temporarily disable the Envo Extra plugin until an update is released, and restrict WordPress user roles to only those necessary for your site operations—review and audit user permissions to ensure principle of least privilege is enforced. As an interim mitigation, limit login access to trusted IP addresses via Web Application Firewall rules or .htaccess restrictions, and monitor WordPress user activity logs for unauthorized access attempts to restricted features. Contact EnvoThemes support directly for notification of patch availability and recommended upgrade procedures.
More in Envo Extra
View allImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EnvoThemes Envo Ex
The Envo Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_css_id’ parameter withi
The Envo Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up
The Envo Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.3 vi
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11893