Constructor
Monthly
Unauthenticated broken access control in the Constructor WordPress theme (versions through 1.6.5) exposes restricted functionality to any remote visitor without authentication. The missing authorization check (CWE-862) allows network-accessible exploitation with no user interaction required, resulting in unauthorized read access to data or functionality that should be ACL-protected. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS vector confirms trivially low exploitation complexity.
Unauthenticated broken access control in the Constructor WordPress theme (versions through 1.6.5) exposes restricted functionality to any remote visitor without authentication. The missing authorization check (CWE-862) allows network-accessible exploitation with no user interaction required, resulting in unauthorized read access to data or functionality that should be ACL-protected. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS vector confirms trivially low exploitation complexity.