The vulnerability is a missing authorization flaw, classified as CWE-862, that allows an attacker to exploit incorrectly configured access control security levels in the Envo Multipurpose theme. An attacker could gain unauthorized access to privileged functions or data normally restricted to certain user roles, potentially compromising confidentiality, integrity, or availability of the site. The flaw originates from the theme’s internals, where access checks were not performed on critical functions.

Affects the EnvoMultipurpose theme supplied by EnvoThemes for WordPress. All releases up to and including version 1.1.6 are vulnerable. No known lower bound is provided, so any version earlier than 1.1.6 should be considered at risk until a fix is applied.

The CVSS score of 5.4 indicates a moderate severity, and the EPSS score of < 1% shows a very low likelihood of exploitation at the time of assessment. The vulnerability is not listed in the CISA KEV catalog, suggesting it is not a known, actively exploited flaw. The attack vector is most likely web‑based through the WordPress front‑end or administration interface, where a user with insufficient privileges could trigger the exposed operations. Attackers would need to identify the presence of the theme and the specific endpoints that lack proper authorization checks.