A missing authorization flaw in the Sparkle FSE WordPress theme, identified as CWE‑862, allows users without proper rights to read or modify content, settings, or other protected resources rendered by the theme. The vulnerability stems from incorrectly configured access levels and can lead to confidentiality or integrity violations if sensitive data or administrative functionality becomes visible or alterable by unauthorized users.

The issue affects the Sparkle FSE theme from its earliest release through version 1.0.9, inclusive. Any WordPress installation that has this theme active—whether on the front‑end, within the admin dashboard, or during content editing—is potentially vulnerable. No other specific WordPress core versions or plugins are noted as affected.

The CVE description does not state an explicit attack vector, but it defines a missing authorization check that could be exercised through normal theme rendering. Based on the description, the likely attack vector is a remote web user accessing a page where the theme processes requests; the user does not require elevated privileges, only normal website access. The CVSS score of 5.4 indicates moderate severity, the EPSS score of less than 1% suggests exploitation activity is currently very low, and the vulnerability is not listed in the CISA KEV catalog. If exploited, the flaw could allow unauthorized individuals to bypass access controls, potentially exposing or altering protected data within the theme context.