Description
Missing Authorization vulnerability in Sparkle WP MetroStore metrostore allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects MetroStore: from n/a through 1.3.2.
Published: 2026-06-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows an attacker to bypass the intended access restrictions of the MetroStore theme. An attacker could read or modify data, settings, or other protected functionality within a WordPress site, thereby compromising confidentiality or integrity. This is categorized as CWE‑862, indicating a broken access control weakness.

Affected Systems

The issue affects Sparkle WP’s MetroStore theme for all released versions up to and including 1.3.2. Any WordPress installation using this theme version is potentially vulnerable.

Risk and Exploitability

The CVSS score of 4.3 denotes a moderate severity, while the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely based on incorrect configuration of access levels within WordPress; attackers with sufficient privileges to interact with the theme (such as logged‑in users with certain roles) could exploit the flaw. The risk is limited to the scope of the compromised access rights, but remediation is still recommended to prevent unauthorized operations.

Generated by OpenCVE AI on June 11, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MetroStore theme to a version that resolves the broken access control flaw (for example, any release newer than 1.3.2).
  • Ensure that WordPress file and directory permissions for the theme are correctly set so that only authorized administrators can modify theme files.
  • Configure strict role‑based access controls in WordPress to limit which user roles can edit theme settings and content.

Generated by OpenCVE AI on June 11, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Sparkle WP MetroStore metrostore allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MetroStore: from n/a through 1.3.2.
Title WordPress MetroStore theme <= 1.3.2 - Broken Access Control
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-11T10:50:00.764Z

Reserved: 2023-05-16T09:52:27.426Z

Link: CVE-2023-32959

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-11T12:16:29.873

Modified: 2026-06-11T14:42:47.007

Link: CVE-2023-32959

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T12:30:14Z

Weaknesses