Impact
Missing authorization checks in the Jegstudio Startupzy theme allow an attacker to perform actions that should be restricted by proper access control. The flaw arises from incorrectly configured security levels, enabling users with insufficient privileges to tamper with theme settings or execute operations that are normally restricted to higher‑privileged accounts.
Affected Systems
Any WordPress installation using Jegstudio's Startupzy theme version 1.1.1 or earlier is vulnerable. No specific WordPress core or other plugin versions are cited, so the issue is confined to the theme itself.
Risk and Exploitability
The CVSS score of 4.3 indicates a moderate risk. EPSS is not available, so the exact exploitation probability is unclear. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread use has been documented. An attacker would likely need web access to the site, with at least a logged‑in user account, to exploit the missing authorization and gain unauthorized capabilities. The impact is limited to sites that retain outdated theme versions and rely on the theme for configuration or content management.
OpenCVE Enrichment