Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Missing authorization in a WordPress theme plausibly enables unauthorized modification of theme settings (I:L), not just availability; C:N as no data exposure is indicated.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in vowelweb VW Food Corner vw-food-corner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Food Corner: from n/a through <= 1.1.0.
AnalysisAI
Missing authorization controls in the VW Food Corner WordPress theme (versions through 1.1.0) permit unauthenticated remote attackers to invoke restricted theme functionality without valid access credentials, resulting in availability impact. Reported by Patchstack and classified under CWE-862, the flaw stems from incorrectly configured access control levels that fail to verify caller identity or capability before executing protected actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target WordPress installation has the VW Food Corner theme installed and active at version 1.1.0 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L reflects a remotely exploitable, low-complexity flaw requiring no authentication or user interaction, but with impact capped at low availability only - no confidentiality or integrity degradation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker discovers a WordPress site running VW Food Corner theme version 1.1.0 or earlier - identifiable via page source meta tags or WordPress theme enumeration. The attacker sends a crafted HTTP POST request to the site's wp-admin/admin-ajax.php endpoint (or equivalent REST route) targeting the unprotected theme action, which executes without any authorization check, triggering a minor availability disruption such as resetting theme configuration or invoking a resource-intensive process. … |
| Remediation | No confirmed patched release version has been independently verified from the available data - site operators should check the WordPress.org theme repository and the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/vw-food-corner/vulnerability/wordpress-vw-food-corner-theme-1-1-0-broken-access-control-vulnerability for an updated release beyond 1.1.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43394