Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in acmethemes Education Base education-base allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Education Base: from n/a through <= 3.0.8.
AnalysisAI
Missing authorization controls in acmethemes Education Base WordPress theme (versions through 3.0.8) allow unauthenticated remote attackers to modify content via incorrectly configured access control checks. The vulnerability affects the theme's access control security levels, enabling attackers to bypass authentication mechanisms and alter data on vulnerable installations. With an EPSS score of 0.02% and no confirmed active exploitation, the real-world risk remains low despite the network-accessible attack vector.
Technical ContextAI
The Education Base WordPress theme (CPE:cpe:2.3:a:acmethemes:education_base:*:*:*:*:*:*:*:*) implements custom access control mechanisms that fail to properly validate user permissions before allowing sensitive operations. The vulnerability falls under CWE-862 (Missing Authorization), a fundamental flaw in the theme's security architecture where authorization checks are either absent, bypassed, or misconfigured. This allows the theme's functionality to be exploited when access control security levels are not properly enforced, regardless of intended role-based restrictions. The issue exists in the core theme code responsible for managing user capabilities and endpoint access.
RemediationAI
Update the Education Base theme to version 3.0.9 or later when released, as the current vulnerability affects all versions through 3.0.8. Site administrators using Education Base should immediately navigate to the WordPress dashboard, access Appearance > Themes, and upgrade to the patched version once available from the theme repository or acmethemes directly. Until a patch is released, implement content role restrictions at the WordPress core level using role-based plugins and disable unnecessary theme functionality through theme settings or security plugins that enforce access control policies. Refer to the Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Theme/education-base/vulnerability/wordpress-education-base-theme-3-0-8-broken-access-control-vulnerability) for vendor communications and additional mitigation guidance.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20264
GHSA-37w7-m62f-9cgm