Description
Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Metro Magazine: from n/a through 1.3.7.
Published: 2026-06-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that permits unauthorized users to dismiss notices intended for privileged users. The weakness is a broken access control, allowing an attacker to perform an action they should not be able to perform. This can lead to unauthorized manipulation of administrative notices, potentially enabling further exploitation if subsequent actions depend on notice visibility.

Affected Systems

Rara Themes Metro Magazine theme versions from the earliest available up to 1.3.7 are affected. All WordPress installations using these theme versions are susceptible until the theme is upgraded to version 1.3.8 or later.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, and the EPSS score is not available, so current exploitation probabilities are unknown. The vulnerability is not listed in the CISA KEV catalog, suggesting it is not a known, actively exploited flaw. However, the broken access control could be leveraged as a foothold for privilege escalation or other malicious actions, especially in sites where the Notice Dismissal function is a critical administrative control.

Generated by OpenCVE AI on June 18, 2026 at 13:57 UTC.

Remediation

Vendor Solution

Update the WordPress Metro Magazine theme to the latest available version (at least 1.3.8).

OpenCVE Recommended Actions

  • Update the WordPress Metro Magazine theme to version 1.3.8 or later using the official theme update mechanism.
  • Reconfigure WordPress user roles and capabilities to restrict notice dismissal to administrators.
  • Monitor user activity logs for unauthorized notice dismissals or unexpected changes to administrative notices after the update.

Generated by OpenCVE AI on June 18, 2026 at 13:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.3.7.
Title WordPress Metro Magazine theme <= 1.3.7 - Broken Access Control on Notice Dismissal vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:47:02.860Z

Reserved: 2024-06-09T11:43:52.670Z

Link: CVE-2024-37496

cve-icon Vulnrichment

Updated: 2026-06-17T12:46:59.295Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:00:16Z

Weaknesses