Skip to main content

Royale News EUVDEUVD-2026-20314

| CVE-2026-39649 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-9hr8-hx97-625q
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:42 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20314
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in themebeez Royale News royale-news allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royale News: from n/a through <= 2.2.4.

AnalysisAI

Royale News WordPress theme through version 2.2.4 allows unauthenticated remote attackers to modify content via incorrectly configured access control, enabling unauthorized data integrity compromise despite the lack of direct confidentiality impact. EPSS probability remains low at 0.02% percentile, suggesting limited real-world exploitation likelihood despite the network-accessible vector. Patch status indicates remediation is available through the vendor advisory.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization), a class of access control flaws where security checks fail to verify user permissions before allowing state-changing operations. Royale News is a WordPress theme (CPE: cpe:2.3:a:themebeez:royale_news:*:*:*:*:*:*:*:*) that handles content management and templating within WordPress installations. The incorrectly configured access control security levels allow the application to accept requests that should be restricted by role or capability checks, permitting unauthenticated modification of protected resources. This is distinct from authentication bypass-the application does not verify authorization levels after accepting a connection, rather than skipping authentication entirely.

RemediationAI

Update Royale News to a version greater than 2.2.4; consult the vendor advisory at Patchstack (https://patchstack.com/database/Wordpress/Theme/royale-news/vulnerability/wordpress-royale-news-theme-2-2-4-broken-access-control-vulnerability) for the specific patched release version. As an interim measure, restrict direct HTTP access to theme admin endpoints and implement capability checks at the application level through WordPress security plugins that enforce role-based access control. Verify that WordPress user roles and permissions are correctly configured and that the theme's functions.php does not bypass capability checks via add_action hooks.

Share

EUVD-2026-20314 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy