Skip to main content

NanoCare EUVDEUVD-2026-31753

| CVE-2026-32389 MEDIUM
Missing Authorization (CWE-862)
2026-05-25 Patchstack GHSA-5gwj-3vhg-r8mv
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 11:31 vuln.today
Patch available
May 26, 2026 - 14:01 EUVD

DescriptionCVE.org

Missing Authorization vulnerability in Linethemes NanoCare allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects NanoCare: from n/a before 1.2.2.

AnalysisAI

Missing authorization in the NanoCare WordPress theme (Linethemes) before version 1.2.2 permits low-privileged authenticated users to exploit incorrectly configured access control levels, resulting in limited integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) confirms network-accessible exploitation requiring only a low-privilege account with no user interaction. No public exploit code exists and no active exploitation has been confirmed; EPSS at 0.04% (11th percentile) and SSVC exploitation status of 'none' indicate this is currently a theoretical rather than actively weaponized risk.

Technical ContextAI

NanoCare is a WordPress theme developed by Linethemes, identified via CPE cpe:2.3:a:linethemes:nanocare:*:*:*:*:*:*:*:*. The root cause is CWE-862 (Missing Authorization), a class of flaw where the application performs sensitive operations without verifying that the requesting authenticated principal has the necessary permissions. In the WordPress context, this typically manifests as theme-registered REST API endpoints, AJAX handlers, or admin-facing actions that fail to implement capability checks (e.g., via current_user_can()), allowing any logged-in user - including subscribers or customers - to invoke functionality intended for administrators or editors. The scope is unchanged (S:U), suggesting the impact is contained within the WordPress application boundary rather than breaking out to the underlying host.

RemediationAI

Vendor-released patch: NanoCare version 1.2.2. Site administrators should update the NanoCare theme to 1.2.2 or later immediately via the WordPress dashboard or by downloading from the theme vendor. The Patchstack advisory (https://patchstack.com/database/wordpress/theme/nanocare/vulnerability/wordpress-nanocare-theme-1-2-2-broken-access-control-vulnerability) documents the fix. If an immediate upgrade is not feasible, a compensating control is to restrict WordPress user registration and limit the lowest-privileged role (e.g., Subscriber) from accessing the site until patched - note this may impact legitimate user workflows. Web application firewall rules targeting unanticipated theme AJAX or REST API calls from low-privilege accounts can reduce exposure but are not a substitute for patching.

Share

EUVD-2026-31753 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy