Skip to main content

Flipmart EUVDEUVD-2026-20430

| CVE-2026-39716 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-38gq-23v5-5q4r
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20430
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in CKThemes Flipmart flipmart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flipmart: from n/a through <= 2.8.

AnalysisAI

CKThemes Flipmart theme through version 2.8 contains a missing authorization vulnerability enabling unauthenticated remote attackers to bypass access control restrictions and gain limited read access to sensitive information. The vulnerability stems from incorrectly configured access control security levels that fail to properly validate user permissions before exposing restricted functionality. While the CVSS score of 5.3 reflects moderate severity, the EPSS score of 0.02% and SSVC assessment indicating no known exploitation suggest this is a lower-priority issue in practice, though the automatable nature of exploitation makes it a candidate for proactive remediation in shared hosting environments.

Technical ContextAI

The vulnerability is rooted in CWE-862 (Missing Authorization), a classic access control flaw where the Flipmart WordPress theme fails to enforce proper permission checks on sensitive operations or data endpoints. Rather than a cryptographic or injection-based vulnerability, this is an authorization bypass issue where the application either omits authorization checks entirely or implements them incorrectly, allowing unauthenticated users to access functionality intended only for authenticated or higher-privileged accounts. The affected product is the CKThemes Flipmart WordPress theme (CPE: cpe:2.3:a:ckthemes:flipmart:*:*:*:*:*:*:*:*), which is a template or theme plugin for WordPress. The CVSS vector AV:N/AC:L/PR:N indicates this is exploitable remotely over the network with low attack complexity and requires no prior privileges, making automation feasible for reconnaissance or data harvesting at scale.

RemediationAI

Upgrade CKThemes Flipmart to a patched version released after 2.8. Vendor advisory and detailed fix information should be obtained from Patchstack's vulnerability database (https://patchstack.com/database/Wordpress/Theme/flipmart/vulnerability/wordpress-flipmart-theme-2-8-broken-access-control-vulnerability?_s_id=cve) or the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-39716). If an immediate patch is not available, implement a temporary workaround by disabling or restricting access to the affected Flipmart endpoints via Web Application Firewall (WAF) rules, or by limiting theme functionality until a patched version is released. Site administrators using this theme should check CKThemes' official website or WordPress.org theme repository for available updates.

Share

EUVD-2026-20430 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy