Description
The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary pages and modify site settings.
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of site content and settings by authenticated subscribers
Action: Apply Patch
AI Analysis

Impact

The Mega Store Woocommerce theme contains a missing capability check in the setup_widgets() function that allows users with Subscriber-level or higher access to create arbitrary pages and modify site settings. This flaw directly violates authorization controls (CWE‑862) and enables an attacker who possesses at least Subscriber privileges to change content that normally requires higher administrative rights.

Affected Systems

WordPress sites that have installed the Mega Store Woocommerce theme, versions 5.0 through 5.9 inclusive, are affected. Administrators using these versions are at risk if they have users with Subscriber or higher roles.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1% suggests that active exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only authenticated access with a Subscriber role, and the attack path is essentially the normal import or widget setup flow exposed by the theme. Because the flaw bypasses a capability check, an attacker can use existing permissions to arbitrarily alter site content and settings, potentially impacting confidentiality and integrity of the site’s data.

Generated by OpenCVE AI on April 20, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Mega Store Woocommerce theme to version 5.10 or later, which fixes the missing capability check
  • Revoke or downgrade the capability of Subscriber users to prevent page creation and settings modification, or convert legitimate Subscribers to a lower role if possible
  • Implement a server‑side wrapper or custom plugin that enforces an explicit capability check before executing setup_widgets(), thereby restoring the intended authorization control

Generated by OpenCVE AI on April 20, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Misbahwp
Misbahwp mega Store Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Misbahwp
Misbahwp mega Store Woocommerce
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary pages and modify site settings.
Title Mega Store Woocommerce <= 5.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation and Settings Change
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Misbahwp Mega Store Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:23:38.813Z

Reserved: 2025-12-09T16:42:08.562Z

Link: CVE-2025-14357

cve-icon Vulnrichment

Updated: 2026-02-19T21:18:26.139Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T07:17:35.090

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:00:12Z

Weaknesses