Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KuteShop: from n/a through <= 4.2.9.
AnalysisAI
Incorrectly configured access control in kutethemes KuteShop theme versions up to 4.2.9 allows unauthenticated remote attackers to modify data via missing authorization checks on sensitive operations. The vulnerability enables exploitation of insufficient access control mechanisms without authentication, though with limited impact confined to data integrity rather than confidentiality or availability.
Technical ContextAI
KuteShop is a WordPress theme that implements custom functionality requiring proper authorization checks on user-controlled operations. This vulnerability stems from CWE-862 (Missing Authorization), where the application fails to enforce proper access control lists or permission validation before executing sensitive functions. The affected CPE (cpe:2.3:a:kutethemes:kuteshop:*:*:*:*:*:*:*:*) indicates the entire product line through version 4.2.9 is vulnerable. WordPress themes that execute arbitrary shortcode or process administrative actions without role-based access verification are particularly susceptible to this class of vulnerability.
RemediationAI
Update kutethemes KuteShop theme to a version newer than 4.2.9 immediately. Site administrators should navigate to Appearance → Themes in WordPress dashboard, locate KuteShop, and click Update if available. If automatic updates are not yet available, check the official kutethemes repository or Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/kuteshop/vulnerability/wordpress-kuteshop-theme-4-2-9-arbitrary-shortcode-execution-vulnerability for patched release information. As a temporary workaround, restrict theme functionality by disabling shortcode execution for unauthenticated users via WordPress functions.php or security plugins until an update is available, though this may degrade theme features.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20248
GHSA-mfmr-7g5x-h6pm