Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Incorrect Privilege Assignment vulnerability in uxper Golo golo allows Privilege Escalation.This issue affects Golo: from n/a through <= 1.7.0.
AnalysisAI
An Incorrect Privilege Assignment vulnerability (CWE-266) exists in uxper Golo theme versions up to and including 1.7.0, enabling privilege escalation attacks. This WordPress theme vulnerability allows attackers to elevate their privileges within the application, potentially gaining unauthorized administrative access. The vulnerability was reported by Patchstack and affects all versions from an unspecified baseline through 1.7.0; no CVSS score, EPSS data, or active KEV status information is currently available.
Technical ContextAI
The vulnerability is rooted in CWE-266 (Incorrect Privilege Assignment), a weakness class that occurs when software assigns incorrect privilege levels to user accounts or operations. In the context of the uxper Golo WordPress theme (identified via CPE cpe:2.3:a:uxper:golo:*:*:*:*:*:*:*:*), this flaw likely resides in role-checking or capability-validation functions within the theme's backend logic. WordPress themes operate within WordPress's role-based access control framework (Admin, Editor, Author, Contributor, Subscriber), and this vulnerability suggests the Golo theme fails to properly enforce these boundaries, allowing lower-privileged users to assume higher privilege levels through improper permission checks or missing authorization validations in theme-specific functions.
RemediationAI
The primary remediation is to upgrade the uxper Golo theme to a version later than 1.7.0 once a patch is released by uxper or the theme maintainers; monitor the Patchstack database (https://patchstack.com/database/Wordpress/Theme/golo) and official theme repositories for patched versions. Until a patch is available, administrators should implement compensating controls: restrict WordPress user account creation and role assignment to trusted personnel only, audit existing user roles to remove any unnecessary elevated privileges, enable comprehensive audit logging to detect unauthorized privilege escalation attempts, and consider temporarily disabling Golo theme-specific functionality if it relies on the flawed privilege logic. For critical installations, consider temporarily switching to an alternative theme until the patch is validated and deployed.
The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeo
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the uxper Golo theme that allows attackers to inject mali
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15769
GHSA-gcfq-p9h5-pjmx