A missing authorization flaw allows the exploitation of incorrectly configured access control security levels in the SmartDataSoft DriCub WordPress theme. The vulnerability amounts to a CWE-862 weakness: an attacker could perform actions or view resources that should be restricted to authorized users. The impact is the potential unauthorized disclosure or manipulation of protected data within the site, which can undermine confidentiality and integrity for the affected content.

SmartDataSoft DriCub WordPress Theme versions up to and including 2.9 are vulnerable. Any WordPress site installing these versions of the theme is impacted.

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% suggests that the likelihood of exploitation is currently very low. The vulnerability is not listed in the CISA KEV catalog, further indicating limited recent exploitation. Because the flaw involves broken access control rather than a remote code execution vector, the attacker would need to interact with the site—likely the front‑end or an authenticated user session—to succeed. Based on the description, the likely attack vector is an interaction with the site’s front‑end or an authenticated session, targeting an endpoint exposed by the theme that lacks proper authorization checks. The exact entry point is not specified, but an attacker could target any accessible page or API endpoint that the theme provides and that is improperly protected.