Description
Missing Authorization vulnerability in Sparkle WP MetroStore metrostore allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects MetroStore: from n/a through 1.3.2.
Published: 2026-06-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows an attacker to bypass the intended access restrictions of the MetroStore theme. An attacker could read or modify data, settings, or other protected functionality within a WordPress site, thereby compromising confidentiality or integrity. This is categorized as CWE‑862, indicating a broken access control weakness.

Affected Systems

The issue affects Sparkle WP’s MetroStore theme for all released versions up to and including 1.3.2. Any WordPress installation using this theme version is potentially vulnerable.

Risk and Exploitability

The CVSS score of 4.3 denotes a moderate severity, while the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely based on incorrect configuration of access levels within WordPress; attackers with sufficient privileges to interact with the theme (such as logged‑in users with certain roles) could exploit the flaw. The risk is limited to the scope of the compromised access rights, but remediation is still recommended to prevent unauthorized operations.

Generated by OpenCVE AI on June 11, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MetroStore theme to a version that resolves the broken access control flaw (for example, any release newer than 1.3.2).
  • Ensure that WordPress file and directory permissions for the theme are correctly set so that only authorized administrators can modify theme files.
  • Configure strict role‑based access controls in WordPress to limit which user roles can edit theme settings and content.

Generated by OpenCVE AI on June 11, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Sparkle Wp
Sparkle Wp metrostore
Wordpress
Wordpress wordpress
Vendors & Products Sparkle Wp
Sparkle Wp metrostore
Wordpress
Wordpress wordpress

Thu, 11 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Sparkle WP MetroStore metrostore allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MetroStore: from n/a through 1.3.2.
Title WordPress MetroStore theme <= 1.3.2 - Broken Access Control
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Sparkle Wp Metrostore
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-11T16:03:17.760Z

Reserved: 2023-05-16T09:52:27.426Z

Link: CVE-2023-32959

cve-icon Vulnrichment

Updated: 2026-06-11T16:03:14.293Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T12:16:29.873

Modified: 2026-06-11T14:42:47.007

Link: CVE-2023-32959

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:18:15Z

Weaknesses