Skip to main content

Werkstatt

3 CVEs product

Monthly

CVE-2026-57690 MEDIUM This Month

Cross-Site Request Forgery in the Werkstatt WordPress theme (FuelThemes) version 4.7.2 and earlier allows remote unauthenticated attackers to perform unauthorized state-changing actions on behalf of authenticated WordPress users. The flaw stems from missing or inadequate CSRF token validation on one or more theme action endpoints, meaning a crafted web page or link can silently trigger privileged operations when visited by a logged-in user. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

CSRF Werkstatt
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-57689 MEDIUM This Month

Broken access control in the Werkstatt WordPress theme (Fuelthemes) versions 4.7.2 and below allows subscriber-level authenticated users to access functionality or data restricted to higher-privileged roles. The root cause is missing authorization checks (CWE-862), permitting low-privilege WordPress accounts to bypass intended access restrictions and read protected information. No public exploit code is identified and the vulnerability is not listed in CISA KEV, but the low-complexity network vector makes it trivially exploitable by any subscriber-level user on affected sites.

Authentication Bypass Werkstatt
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-27414 HIGH This Week

PHP Object Injection in the Werkstatt WordPress theme (fuelthemes) through version 4.8.3 lets a Contributor-level user pass attacker-controlled data into an unsafe deserialization routine, enabling instantiation of arbitrary PHP objects. With the right POP gadget chain present in WordPress core, another plugin, or the theme itself, this can escalate to file operations, SQL manipulation, or remote code execution. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the 8.8 CVSS reflects the low-privilege network-exploitable path with high confidentiality, integrity, and availability impact.

Deserialization PHP Werkstatt
NVD
CVSS 3.1
8.8
EPSS
0.3%
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Werkstatt WordPress theme (FuelThemes) version 4.7.2 and earlier allows remote unauthenticated attackers to perform unauthorized state-changing actions on behalf of authenticated WordPress users. The flaw stems from missing or inadequate CSRF token validation on one or more theme action endpoints, meaning a crafted web page or link can silently trigger privileged operations when visited by a logged-in user. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

CSRF Werkstatt
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in the Werkstatt WordPress theme (Fuelthemes) versions 4.7.2 and below allows subscriber-level authenticated users to access functionality or data restricted to higher-privileged roles. The root cause is missing authorization checks (CWE-862), permitting low-privilege WordPress accounts to bypass intended access restrictions and read protected information. No public exploit code is identified and the vulnerability is not listed in CISA KEV, but the low-complexity network vector makes it trivially exploitable by any subscriber-level user on affected sites.

Authentication Bypass Werkstatt
NVD
EPSS 0% CVSS 8.8
HIGH This Week

PHP Object Injection in the Werkstatt WordPress theme (fuelthemes) through version 4.8.3 lets a Contributor-level user pass attacker-controlled data into an unsafe deserialization routine, enabling instantiation of arbitrary PHP objects. With the right POP gadget chain present in WordPress core, another plugin, or the theme itself, this can escalate to file operations, SQL manipulation, or remote code execution. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the 8.8 CVSS reflects the low-privilege network-exploitable path with high confidentiality, integrity, and availability impact.

Deserialization PHP Werkstatt
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy