Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Themeansar Newses allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Newses: from n/a through 2.0.0.77.
AnalysisAI
Missing Authorization in the Newses WordPress theme (Themeansar) through version 2.0.0.77 permits low-privileged authenticated users to exploit incorrectly configured access control security levels, resulting in partial integrity and availability impact. The flaw, reported by Patchstack and tracked under ENISA EUVD-2026-31747, allows an authenticated attacker to perform actions beyond their intended permission scope without proper authorization checks. No public exploit code or active exploitation has been identified at time of analysis, and all available signals - EPSS at 0.04%, SSVC exploitation status of 'none', and Automatable: no - indicate limited real-world threat at this time.
Technical ContextAI
The vulnerability is rooted in CWE-862 (Missing Authorization), a class of flaw where server-side code fails to verify that the authenticated requester has sufficient permission to perform a given action before executing it. In WordPress theme architecture, this typically manifests as AJAX handlers, REST API endpoints, or admin-panel actions that check for authentication (nonce or login state) but skip capability checks - meaning any logged-in user, regardless of role (subscriber, contributor, etc.), can trigger privileged functionality. The affected product is identified by CPE cpe:2.3:a:themeansar:newses:*:*:*:*:*:*:*:* covering all versions up to and including 2.0.0.77. The CVSS vector AV:N/AC:L/PR:L/UI:N reflects that exploitation requires only a valid low-privilege account and a network request, with no interaction from higher-privileged users needed.
RemediationAI
The primary remediation is to update the Newses theme to a version released after 2.0.0.77; the Patchstack advisory at https://patchstack.com/database/wordpress/theme/newses/vulnerability/wordpress-newses-theme-2-0-0-77-broken-access-control-vulnerability should be consulted for the specific patched release version, which was not independently confirmed in the available input data. If an updated theme version is not yet available, a compensating control is to restrict the WordPress site to trusted authenticated users only - disable open registration and remove untrusted low-privilege accounts (subscribers, contributors) to eliminate the PR:L attack surface. Alternatively, a Web Application Firewall rule (e.g., via Patchstack's virtual patching feature) can block exploitation of the specific unprotected endpoint while a theme update is applied. Note that disabling user registration may impact site functionality if the theme is used in a membership or community context.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31747
GHSA-7f6v-34pp-pxv2