Description
Missing Authorization vulnerability in AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cartify - WooCommerce Gutenberg WordPress Theme: from n/a through <= 1.3.
Published: 2026-02-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary content deletion
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows an attacker to delete any content managed by the WordPress Cartify – WooCommerce Gutenberg WordPress Theme. It stems from incorrectly configured access control, enabling deletion without a valid privilege check. The weakness is classified as CWE‑862 – Missing Authorization.

Affected Systems

This issue affects the AgniHD Cartify – WooCommerce Gutenberg WordPress Theme in all releases up to and including version 1.3. Users running these versions are exposed to the deletion vulnerability.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, yet the EPSS score of less than 1% shows a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves a user who can log in to the WordPress backend or edit the theme’s configuration and then perform deletion actions that should have been restricted to higher‑privilege roles.

Generated by OpenCVE AI on April 27, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cartify – WooCommerce Gutenberg WordPress Theme to a version newer than 1.3, ensuring the missing authorization fix is applied.
  • Restrict author and contributor roles by disabling their capability to delete content and enforce that only administrators can modify theme settings.
  • Implement regular backups of site content and enable change‑tracking logs so that accidental or malicious deletions can be identified and recovered.

Generated by OpenCVE AI on April 27, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Mon, 23 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Agnihd
Agnihd cartify - Woocommerce Gutenberg Wordpress Theme
Wordpress
Wordpress wordpress
Vendors & Products Agnihd
Agnihd cartify - Woocommerce Gutenberg Wordpress Theme
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cartify - WooCommerce Gutenberg WordPress Theme: from n/a through <= 1.3.
Title WordPress Cartify - WooCommerce Gutenberg WordPress Theme theme <= 1.3 - Arbitrary Content Deletion vulnerability
Weaknesses CWE-862
References

Subscriptions

Agnihd Cartify - Woocommerce Gutenberg Wordpress Theme
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:39.774Z

Reserved: 2025-12-31T20:13:11.108Z

Link: CVE-2025-69385

cve-icon Vulnrichment

Updated: 2026-02-23T21:09:20.509Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:23.687

Modified: 2026-04-27T19:16:43.833

Link: CVE-2025-69385

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:30:12Z

Weaknesses