Description
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Holmes holmes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Holmes: from n/a through <= 1.7.
Published: 2026-01-22
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass via Insecure Direct Object References
Action: Assess Impact
AI Analysis

Impact

The vulnerability is an IDOR flaw that allows an attacker to bypass authorization by controlling a key parameter. This can let an attacker access content or functionality that should be restricted, potentially exposing confidential data and undermining integrity of the site. The weakness is categorized as CWE-639, which reflects missing or incorrect checks on the ownership or permission of an object before allowing update or view. Based on the description, it is inferred that the attack requires the ability to submit crafted HTTP requests containing manipulated identifiers.

Affected Systems

The affected product is the Mikado‑Themes Holmes WordPress theme, versions up to and including 1.7. All installations running Holmes 1.7 or earlier are potentially impacted; no minimum vulnerable version is specified.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity. The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of exploitation at present. The likely attack vector is remote, via crafted requests to the theme’s protected endpoints, and may require user authentication. The problem stems from incorrectly configured access control that fails to validate ownership of requested resources.

Generated by OpenCVE AI on April 16, 2026 at 07:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Holmes theme to a version newer than 1.7 where the IDOR fix is applied.
  • Verify and correct the theme’s access‑control settings to enforce proper authorization checks for all protected resources.
  • Audit WordPress user capabilities and adjust any improperly granted permissions to limit access to sensitive content.

Generated by OpenCVE AI on April 16, 2026 at 07:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Mon, 26 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes holmes
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes holmes
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Holmes holmes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Holmes: from n/a through <= 1.7.
Title WordPress Holmes theme <= 1.7 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References

Subscriptions

Mikado-themes Holmes
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:55:45.839Z

Reserved: 2026-01-07T12:21:46.518Z

Link: CVE-2026-22400

cve-icon Vulnrichment

Updated: 2026-01-26T21:18:18.604Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:33.193

Modified: 2026-04-28T19:36:34.583

Link: CVE-2026-22400

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T08:00:11Z

Weaknesses