Description
Missing Authorization vulnerability in Jegstudio Startupzy startupzy allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Startupzy: from n/a through 1.1.1.
Published: 2026-06-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization checks in the Jegstudio Startupzy theme allow an attacker to perform actions that should be restricted by proper access control. The flaw arises from incorrectly configured security levels, enabling users with insufficient privileges to tamper with theme settings or execute operations that are normally restricted to higher‑privileged accounts.

Affected Systems

Any WordPress installation using Jegstudio's Startupzy theme version 1.1.1 or earlier is vulnerable. No specific WordPress core or other plugin versions are cited, so the issue is confined to the theme itself.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk. EPSS is not available, so the exact exploitation probability is unclear. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread use has been documented. An attacker would likely need web access to the site, with at least a logged‑in user account, to exploit the missing authorization and gain unauthorized capabilities. The impact is limited to sites that retain outdated theme versions and rely on the theme for configuration or content management.

Generated by OpenCVE AI on June 18, 2026 at 13:58 UTC.

Remediation

Vendor Solution

Update the WordPress Startupzy theme to the latest available version (at least 1.1.2).


OpenCVE Recommended Actions

  • Update the Startupzy theme to version 1.1.2 or later.
  • Restrict access to the theme’s configuration pages to administrators only, using WordPress role management or a security plugin.
  • Audit theme file permissions to ensure that non‑administrator users cannot execute or modify theme components.

Generated by OpenCVE AI on June 18, 2026 at 13:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Jegstudio
Jegstudio startupzy
Wordpress
Wordpress wordpress
Vendors & Products Jegstudio
Jegstudio startupzy
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Jegstudio Startupzy startupzy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Startupzy: from n/a through 1.1.1.
Title WordPress Startupzy theme <= 1.1.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Jegstudio Startupzy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:39:06.785Z

Reserved: 2024-04-26T07:21:38.451Z

Link: CVE-2024-33685

cve-icon Vulnrichment

Updated: 2026-06-17T14:39:03.036Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:03:32Z

Weaknesses