Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in CKThemes Flipmart flipmart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flipmart: from n/a through <= 2.8.
AnalysisAI
CKThemes Flipmart theme through version 2.8 contains a missing authorization vulnerability enabling unauthenticated remote attackers to bypass access control restrictions and gain limited read access to sensitive information. The vulnerability stems from incorrectly configured access control security levels that fail to properly validate user permissions before exposing restricted functionality. While the CVSS score of 5.3 reflects moderate severity, the EPSS score of 0.02% and SSVC assessment indicating no known exploitation suggest this is a lower-priority issue in practice, though the automatable nature of exploitation makes it a candidate for proactive remediation in shared hosting environments.
Technical ContextAI
The vulnerability is rooted in CWE-862 (Missing Authorization), a classic access control flaw where the Flipmart WordPress theme fails to enforce proper permission checks on sensitive operations or data endpoints. Rather than a cryptographic or injection-based vulnerability, this is an authorization bypass issue where the application either omits authorization checks entirely or implements them incorrectly, allowing unauthenticated users to access functionality intended only for authenticated or higher-privileged accounts. The affected product is the CKThemes Flipmart WordPress theme (CPE: cpe:2.3:a:ckthemes:flipmart:*:*:*:*:*:*:*:*), which is a template or theme plugin for WordPress. The CVSS vector AV:N/AC:L/PR:N indicates this is exploitable remotely over the network with low attack complexity and requires no prior privileges, making automation feasible for reconnaissance or data harvesting at scale.
RemediationAI
Upgrade CKThemes Flipmart to a patched version released after 2.8. Vendor advisory and detailed fix information should be obtained from Patchstack's vulnerability database (https://patchstack.com/database/Wordpress/Theme/flipmart/vulnerability/wordpress-flipmart-theme-2-8-broken-access-control-vulnerability?_s_id=cve) or the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-39716). If an immediate patch is not available, implement a temporary workaround by disabling or restricting access to the affected Flipmart endpoints via Web Application Firewall (WAF) rules, or by limiting theme functionality until a patched version is released. Site administrators using this theme should check CKThemes' official website or WordPress.org theme repository for available updates.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20430
GHSA-38gq-23v5-5q4r