Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Network-exploitable but requires authenticated low-privileged account; impact is limited to low availability with no confidentiality or integrity consequence per description.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in ThemeMove EduMall edumall allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EduMall: from n/a through <= 4.5.1.
AnalysisAI
Broken access control in ThemeMove's EduMall WordPress theme (versions through 4.5.1) permits authenticated low-privileged users to invoke restricted functionality without proper authorization checks. An attacker with any valid WordPress account can bypass the intended access control tiers and trigger actions that degrade site availability. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold at minimum a low-privileged WordPress account on the target site (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 4.3 (Medium) is consistent with the impact profile: no confidentiality or integrity loss, and only low availability degradation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free account on a WordPress site running EduMall (or uses existing credentials as a student/subscriber), then crafts an authenticated HTTP POST request directly to an EduMall-registered AJAX handler or REST endpoint that lacks a capability check. Because the missing authorization gate is never enforced, the request executes a privileged action - such as triggering a bulk operation or clearing a cache - that degrades site responsiveness for other users. |
| Remediation | Update EduMall to a version released after 4.5.1; no specific patched version number is confirmed in the available data, so administrators should check the ThemeForest changelog or the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/edumall/vulnerability/wordpress-edumall-theme-4-5-0-broken-access-control-vulnerability for the exact fix version before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43413