Description
Missing Authorization vulnerability in GhostPool Gauge gauge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gauge: from n/a through <= 6.56.4.
Published: 2026-02-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Gauge theme from GhostPool contains a missing authorization flaw that allows an attacker to bypass configured access control levels and gain privileged actions within the WordPress site. This can lead to unauthorized modification of theme settings, content, or the injection of malicious code, thereby compromising the integrity and confidentiality of the site.

Affected Systems

GhostPool’s Gauge WordPress theme, version 6.56.4 and earlier, is affected. Installations of any preceding releases up to and including 6.56.4 must be assessed for risk.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered high, but the EPSS score of less than 1% suggests it is unlikely to be widely exploited at present. The issue is not listed in the CISA KEV catalog. The attack vector is inferred to require authenticated access to the WordPress backend or a misconfigured user role, but the CVE description does not specify exact prerequisites. Exploitability would rely on the presence of users with elevated privileges and correct endpoints in the theme. Administrators should treat it as a high‑risk exposure pending a patch.

Generated by OpenCVE AI on April 29, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gauge to the latest version greater than 6.56.4 and verify that the update includes the authorization fix.
  • If an update is not available, deactivate the Gauge theme and switch to a trusted alternative theme until a fix is released.
  • Review and tighten role‑based access controls within WordPress, ensuring that only authorized users have the capability to modify theme settings.
  • Monitor site activity for abnormal changes to theme configuration and investigate any suspicious modifications.

Generated by OpenCVE AI on April 29, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Thu, 26 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ghostpool
Ghostpool gauge
Wordpress
Wordpress wordpress
Vendors & Products Ghostpool
Ghostpool gauge
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in GhostPool Gauge gauge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gauge: from n/a through <= 6.56.4.
Title WordPress Gauge theme <= 6.56.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Ghostpool Gauge
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:36.876Z

Reserved: 2025-12-31T20:11:57.533Z

Link: CVE-2025-69298

cve-icon Vulnrichment

Updated: 2026-02-25T15:53:29.596Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:16.557

Modified: 2026-04-27T21:16:23.463

Link: CVE-2025-69298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T14:45:13Z

Weaknesses