Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Unauthenticated network-reachable authorization bypass (AV:N/AC:L/PR:N/UI:N); high confidentiality from member-data exposure, with limited integrity/availability matching a read-leaning broken access control flaw.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Broken Access Control in WordPress Dating Theme <= 11.2.0 versions.
AnalysisAI
Unauthenticated broken access control in PremiumPress WordPress Dating Theme through version 11.2.0 allows remote attackers to reach restricted functionality without credentials, resulting in high confidentiality impact and limited integrity and availability impact. The flaw was disclosed via Patchstack and currently has no public exploit identified at time of analysis, but the network-reachable, no-interaction vector (AV:N/AC:L/PR:N/UI:N) makes opportunistic abuse against exposed sites realistic. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The only prerequisite is network reachability to a WordPress site running the PremiumPress 'WordPress Dating Theme' at version 11.2.0 or earlier with its vulnerable endpoint exposed on the public web; the CVSS vector AV:N/AC:L/PR:N/UI:N confirms no authentication, no user interaction, and no special attack complexity. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L) is consistent with a network-reachable, fully unauthenticated authorization bypass and should be treated as a real priority for any site running the theme, particularly dating/community sites that store sensitive PII. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker enumerates WordPress sites running the Dating Theme via Wappalyzer-style fingerprinting or theme-path scanning, then issues unauthenticated HTTP requests directly to the vulnerable theme handler - for example an admin-ajax.php action exposed by the theme - to retrieve or modify member data that should require an authenticated session. No POC is currently referenced in the input, so realistic near-term abuse is opportunistic bulk scraping of member profiles or messages from exposed sites rather than a turnkey mass-exploitation campaign. |
| Remediation | Patch available per vendor advisory: upgrade the WordPress Dating Theme to a release later than 11.2.0 as referenced in the Patchstack entry (https://patchstack.com/database/wordpress/theme/da10/vulnerability/wordpress-wordpress-dating-theme-theme-11-2-0-broken-access-control-vulnerability); the exact fixed version is not stated in the input data, so confirm the target version directly with PremiumPress before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations using PremiumPress Dating Theme; document affected versions and asset criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wordpress Dating Theme
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37662