Shinetheme Traveler theme is susceptible to a missing authorization flaw that permits attackers to exploit incorrectly configured access control settings. The vulnerability allows unauthorized users to gain access to protected theme functionalities, potentially revealing sensitive site data or enabling further compromise. Classified under CWE‑862, the flaw has an overall medium severity with a CVSS score of 6.5, indicating a significant risk to confidentiality and integrity of the site.

Vulnerable installations include all WordPress sites running shinetheme Traveler version 3.2.6 or earlier. No later releases are impacted, so users should verify that their installation is upgraded beyond 3.2.6. The problem originates from the theme component itself rather than the core WordPress software.

The CVSS score of 6.5 reflects a medium threat level, while the EPSS score of less than 1 % suggests that, as of now, exploitation attempts are rare but not impossible. The vulnerability is not listed in CISA KEV, meaning no public exploitation data is recorded. Attackers likely would target the web interface where the theme is active; the flaw could be leveraged by users who can manipulate role assignments or by exploiting misconfigured permissions, thereby bypassing normal access checks. Organizations should consider the possibility that an attacker with minimal initial access could increase privileges within the site.