Skip to main content

Flatsome

8 CVEs product

Monthly

CVE-2026-57729 HIGH This Week

Broken access control in the UX-Themes Flatsome WordPress theme (versions up to and including 3.20.5) allows remote unauthenticated attackers to reach functionality or data that should be authorization-gated, resulting in confidentiality-only impact per the CVSS vector. The flaw stems from a missing authorization check (CWE-862) and was catalogued by Patchstack, but there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Flatsome is one of the most widely sold commercial WooCommerce themes, so the affected footprint is substantial even though only information disclosure (not integrity or availability) is implicated.

Authentication Bypass Flatsome
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-57728 HIGH This Week

Reflected cross-site scripting in the UX-themes Flatsome WordPress/WooCommerce theme (all versions up to and including 3.20.5) lets a remote attacker inject script that executes in a victim's browser when they click a crafted link. Reported by Patchstack with a CVSS 3.1 score of 7.1 (scope-changed, low-impact), the flaw requires user interaction but no authentication. No public exploit code or active exploitation has been identified at time of analysis.

XSS Flatsome
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57731 MEDIUM This Month

Broken access control in the Flatsome WordPress theme (versions <= 3.20.5) allows contributor-level authenticated users to access sensitive data they are not authorized to view. The flaw stems from missing authorization checks (CWE-862), enabling privilege escalation beyond the contributor role's intended scope - specifically a high confidentiality impact with no integrity or availability consequence per the CVSS vector. No public exploit code or active exploitation has been identified at time of analysis, though the low attack complexity and network-accessible attack vector lower the bar for abuse by any site user holding a contributor account.

Authentication Bypass Flatsome
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57730 MEDIUM This Month

Broken access control in Flatsome WordPress theme versions 3.20.5 and earlier allows authenticated subscriber-level users to access restricted resources or perform actions beyond their intended authorization. The flaw stems from missing authorization checks (CWE-862) on one or more endpoints or actions within the theme, enabling low-privilege WordPress users to retrieve information they should not be permitted to view. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is limited to authenticated users, reducing opportunistic risk.

Authentication Bypass Flatsome
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-31915 MEDIUM This Month

Insufficient authorization controls in Flatsome theme versions 3.19.6 and earlier allow unauthenticated remote attackers to modify data through improperly configured access restrictions. The vulnerability enables unauthorized modifications without requiring user interaction, potentially compromising content integrity across affected websites.

Authentication Bypass Flatsome
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-5346 MEDIUM This Month

The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the UX Countdown, Video Button, UX Video, UX Slider, UX Sidebar, and UX Payment Icons shortcodes in all versions up. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Flatsome
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2023-40555 HIGH This Week

Deserialization of Untrusted Data vulnerability in UX-themes Flatsome | Multi-Purpose Responsive WooCommerce Theme.17.5. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization WordPress Flatsome
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2023-28994 MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Flatsome
NVD
CVSS 3.1
6.1
EPSS
0.4%
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the UX-Themes Flatsome WordPress theme (versions up to and including 3.20.5) allows remote unauthenticated attackers to reach functionality or data that should be authorization-gated, resulting in confidentiality-only impact per the CVSS vector. The flaw stems from a missing authorization check (CWE-862) and was catalogued by Patchstack, but there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Flatsome is one of the most widely sold commercial WooCommerce themes, so the affected footprint is substantial even though only information disclosure (not integrity or availability) is implicated.

Authentication Bypass Flatsome
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the UX-themes Flatsome WordPress/WooCommerce theme (all versions up to and including 3.20.5) lets a remote attacker inject script that executes in a victim's browser when they click a crafted link. Reported by Patchstack with a CVSS 3.1 score of 7.1 (scope-changed, low-impact), the flaw requires user interaction but no authentication. No public exploit code or active exploitation has been identified at time of analysis.

XSS Flatsome
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the Flatsome WordPress theme (versions <= 3.20.5) allows contributor-level authenticated users to access sensitive data they are not authorized to view. The flaw stems from missing authorization checks (CWE-862), enabling privilege escalation beyond the contributor role's intended scope - specifically a high confidentiality impact with no integrity or availability consequence per the CVSS vector. No public exploit code or active exploitation has been identified at time of analysis, though the low attack complexity and network-accessible attack vector lower the bar for abuse by any site user holding a contributor account.

Authentication Bypass Flatsome
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in Flatsome WordPress theme versions 3.20.5 and earlier allows authenticated subscriber-level users to access restricted resources or perform actions beyond their intended authorization. The flaw stems from missing authorization checks (CWE-862) on one or more endpoints or actions within the theme, enabling low-privilege WordPress users to retrieve information they should not be permitted to view. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is limited to authenticated users, reducing opportunistic risk.

Authentication Bypass Flatsome
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Insufficient authorization controls in Flatsome theme versions 3.19.6 and earlier allow unauthenticated remote attackers to modify data through improperly configured access restrictions. The vulnerability enables unauthorized modifications without requiring user interaction, potentially compromising content integrity across affected websites.

Authentication Bypass Flatsome
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the UX Countdown, Video Button, UX Video, UX Slider, UX Sidebar, and UX Payment Icons shortcodes in all versions up. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Flatsome
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Deserialization of Untrusted Data vulnerability in UX-themes Flatsome | Multi-Purpose Responsive WooCommerce Theme.17.5. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization WordPress Flatsome
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Flatsome
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy