Skip to main content

Kuteshop EUVDEUVD-2026-20248

| CVE-2026-39612 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-mfmr-7g5x-h6pm
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:41 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20248
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KuteShop: from n/a through <= 4.2.9.

AnalysisAI

Incorrectly configured access control in kutethemes KuteShop theme versions up to 4.2.9 allows unauthenticated remote attackers to modify data via missing authorization checks on sensitive operations. The vulnerability enables exploitation of insufficient access control mechanisms without authentication, though with limited impact confined to data integrity rather than confidentiality or availability.

Technical ContextAI

KuteShop is a WordPress theme that implements custom functionality requiring proper authorization checks on user-controlled operations. This vulnerability stems from CWE-862 (Missing Authorization), where the application fails to enforce proper access control lists or permission validation before executing sensitive functions. The affected CPE (cpe:2.3:a:kutethemes:kuteshop:*:*:*:*:*:*:*:*) indicates the entire product line through version 4.2.9 is vulnerable. WordPress themes that execute arbitrary shortcode or process administrative actions without role-based access verification are particularly susceptible to this class of vulnerability.

RemediationAI

Update kutethemes KuteShop theme to a version newer than 4.2.9 immediately. Site administrators should navigate to Appearance → Themes in WordPress dashboard, locate KuteShop, and click Update if available. If automatic updates are not yet available, check the official kutethemes repository or Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/kuteshop/vulnerability/wordpress-kuteshop-theme-4-2-9-arbitrary-shortcode-execution-vulnerability for patched release information. As a temporary workaround, restrict theme functionality by disabling shortcode execution for unauthenticated users via WordPress functions.php or security plugins until an update is available, though this may degrade theme features.

Share

EUVD-2026-20248 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy