Skip to main content

Metro Magazine EUVDEUVD-2026-37058

| CVE-2026-40809 MEDIUM
Missing Authorization (CWE-862)
2026-06-16 Patchstack GHSA-57gx-7458-mhwq
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-exposed WordPress theme endpoint with no authorization check enables unauthenticated access; C:N because no data disclosure is described in the vulnerability.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 10:31 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Metro Magazine: from n/a through 1.4.1.

AnalysisAI

Missing authorization controls in the Metro Magazine WordPress theme by Rara Themes (versions through 1.4.1) expose unauthenticated network attackers to restricted theme actions, yielding partial integrity and availability impact without any credential requirement. Rooted in CWE-862 (Missing Authorization), the flaw reflects a broken access control pattern common in WordPress themes that register AJAX or REST endpoints without validating the caller's privilege level. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; EPSS data was not provided in available intelligence.

Technical ContextAI

Metro Magazine is a WordPress theme produced by Rara Themes, identified by CPE cpe:2.3:a:rara_themes:metro_magazine:*:*:*:*:*:*:*:* across all versions through 1.4.1. WordPress themes can register privileged AJAX handlers (wp_ajax_nopriv_*) or REST API endpoints that are reachable without authentication; CWE-862 (Missing Authorization) describes the failure to enforce a capability or nonce check before permitting the requested action. This maps directly to OWASP A01:2021 Broken Access Control. The Patchstack tag 'Authentication Bypass' further confirms that the authorization gate is entirely absent rather than merely weakened, allowing callers at PR:N to exercise functionality intended for higher-privilege roles.

RemediationAI

WordPress administrators should update the Metro Magazine theme to a version beyond 1.4.1 immediately upon vendor release - consult the WordPress theme repository and the Patchstack advisory at https://patchstack.com/database/wordpress/theme/metro-magazine/vulnerability/wordpress-metro-magazine-theme-1-4-1-broken-access-control-vulnerability?_s_id=cve for the confirmed patched release version, which is not explicitly stated in the available intelligence. If a patched version is not yet available, the most effective compensating control is deactivating the Metro Magazine theme and substituting an unaffected theme, eliminating the attack surface entirely. Alternatively, a WordPress-aware WAF solution such as Patchstack Shield or Wordfence with virtual patching rules can block unauthorized requests to the vulnerable endpoints, though this may inadvertently block legitimate theme functionality if rules are not precisely scoped to the affected action.

Share

EUVD-2026-37058 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy