Skip to main content

Flatsome Theme EUVDEUVD-2026-41301

| CVE-2026-57731 MEDIUM
Missing Authorization (CWE-862)
2026-07-02 Patchstack GHSA-9g2q-p42j-2pr4
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Contributor account required (PR:L), network-accessible with no complexity; only confidentiality impacted as no write or denial-of-service capability is described.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:32 vuln.today

DescriptionCVE.org

Contributor Broken Access Control in Flatsome <= 3.20.5 versions.

AnalysisAI

Broken access control in the Flatsome WordPress theme (versions <= 3.20.5) allows contributor-level authenticated users to access sensitive data they are not authorized to view. The flaw stems from missing authorization checks (CWE-862), enabling privilege escalation beyond the contributor role's intended scope - specifically a high confidentiality impact with no integrity or availability consequence per the CVSS vector. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain contributor-level WordPress account
Exploit
Send authenticated HTTP request to unprotected theme endpoint
Execution
Bypass missing authorization check
Impact
Read sensitive restricted data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress contributor-level account (or any role above contributor) on the target site - confirmed by the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 Medium score reflects AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - network-reachable, low-complexity exploitation requiring only contributor-level authentication, with a high confidentiality impact but no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a contributor account on a WordPress site running Flatsome <= 3.20.5 - plausible on WooCommerce stores that allow vendor or affiliate self-registration. The attacker then sends a crafted authenticated HTTP request (e.g., to an AJAX endpoint or REST route) that the theme fails to gate with a capability check, returning sensitive data such as customer records, order details, or internal configuration. …
Remediation Update the Flatsome theme to a version above 3.20.5 immediately; the Patchstack advisory at https://patchstack.com/database/wordpress/theme/flatsome/vulnerability/wordpress-flatsome-theme-3-20-5-broken-access-control-vulnerability-2 should be consulted for the exact patched release version, which is not explicitly stated in currently available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41301 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy