Description
Missing Authorization vulnerability in Stylemix Pearl pearl-header-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pearl: from n/a through <= 1.3.9.
Published: 2025-04-01
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows incorrect access control levels within the Pearl header‑builder plugin. Because the plugin does not properly enforce role checks, a user with any authenticated access to the WordPress admin area could potentially alter, add, or remove header settings that the plugin manages. This weakness corresponds to CWE‑862 – Unchecked Critical Privilege and could lead to unauthorized configuration changes, affecting the appearance or behavior of the site.

Affected Systems

WordPress sites that have the Stylemix Pearl header‑builder plugin installed at version 1.3.9 or earlier are affected. The version range reported by the CNA is "from n/a through <= 1.3.9", implying that any installation at those versions is vulnerable.

Risk and Exploitability

The CVSS score of 5.4 classifies the issue as moderate in severity. The EPSS score of less than 1% indicates a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local: any authenticated user with access to the WordPress admin interface, especially those with non‑administrator roles, could exploit the flaw by navigating to the plugin’s configuration screens and modifying settings. No remote code execution or arbitrary file inclusion is described in the current data.

Generated by OpenCVE AI on May 1, 2026 at 01:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pearl header‑builder plugin to a version newer than 1.3.9 or apply the vendor‑issued fix if available.
  • If an upgrade is not feasible, disable or uninstall the Pearl plugin to eliminate the attack surface.
  • Restrict user capabilities so that only administrators or specific trusted roles can access plugin configuration pages, creating a tighter access control boundary in line with CWE‑862 remediation guidelines.
  • Monitor audit logs for unexpected access to the plugin’s settings pages and review changes to header configurations.

Generated by OpenCVE AI on May 1, 2026 at 01:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9143 Missing Authorization vulnerability in Stylemix Pearl allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pearl: from n/a through 1.3.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Stylemix Pearl allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pearl: from n/a through 1.3.9. Missing Authorization vulnerability in Stylemix Pearl pearl-header-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pearl: from n/a through <= 1.3.9.
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Tue, 01 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Stylemix Pearl allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pearl: from n/a through 1.3.9.
Title WordPress Pearl plugin <= 1.3.9 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:15.308Z

Reserved: 2025-04-01T13:21:22.233Z

Link: CVE-2025-31881

cve-icon Vulnrichment

Updated: 2025-04-01T15:41:08.121Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:30.760

Modified: 2026-04-23T15:28:28.700

Link: CVE-2025-31881

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:45:05Z

Weaknesses