Description
Incorrect Privilege Assignment vulnerability in Jthemes xSmart xsmart allows Privilege Escalation.This issue affects xSmart: from n/a through <= 1.2.9.4.
Published: 2026-01-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An Incorrect Privilege Assignment flaw in the Jthemes xSmart WordPress theme allows a user with lower permissions to raise their privileges within the site. The weakness, identified as CWE-266, means that the theme’s internal role handling can be manipulated to elevate access rights. The impact is that the attacker could obtain higher privilege levels than originally granted.

Affected Systems

All installations of Jthemes the xSmart theme from the earliest release through version 1.2.9.4 are affected. No other WordPress themes or plugins are listed as vulnerable in this entry.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% shows that global exploitation is low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an authenticated user with limited role who can access theme configuration or upload functionalities; exploiting the theme’s incorrect privilege logic will grant them elevated rights.

Generated by OpenCVE AI on April 29, 2026 at 17:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the xSmart theme to a release newer than 1.2.9.4 that fixes the privilege assignment flaw.
  • If no newer version is available, remove or deactivate the vulnerable theme to eliminate the flaw from the site.
  • Restrict theme editing and upload actions to administrator accounts only and audit user roles to ensure no lower-privileged user retains theme configuration rights.

Generated by OpenCVE AI on April 29, 2026 at 17:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in Jthemes xSmart xsmart allows Privilege Escalation.This issue affects xSmart: from n/a through <= 1.2.9.4.
Title WordPress xSmart theme <= 1.2.9.4 - Privilege Escalation vulnerability
Weaknesses CWE-266
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:22:28.972Z

Reserved: 2025-06-11T16:08:11.573Z

Link: CVE-2025-50007

cve-icon Vulnrichment

Updated: 2026-01-26T21:58:38.863Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:15:57.263

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-50007

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T17:45:16Z

Weaknesses