Description
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Innovio innovio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Innovio: from n/a through <= 1.7.
Published: 2026-01-22
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass via IDOR
Action: Patch Now
AI Analysis

Impact

This vulnerability allows an attacker to bypass authorization controls through insecure direct object references, a form of authorization bypass where user-controlled input determines which object is accessed. The flaw arises from improperly configured access‑control security levels in the Innovio theme, enabling an unauthorized user to view or modify content they should not have access to. The weakness aligns with CWE‑639, which focuses on the improper restriction of authority or rights.

Affected Systems

WordPress sites using the Mikado‑Themes Innovio theme, version 1.7 and earlier. No lower bound is specified, so any released version up to and including 1.7 may be impacted.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate impact potential, while the EPSS value of less than 1 % suggests a very low probability of exploitation at the time of this assessment. The vulnerability is not listed in CISA’s KEV catalog, and no exploitation is publicly reported. Attackers would likely need to be able to submit or modify user‑controlled parameters in WordPress requests, suggesting a web‑based attack vector, though the exact method is not detailed in the advisory.

Generated by OpenCVE AI on April 16, 2026 at 07:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Innovio theme to the latest version (greater than 1.7).
  • If an upgrade is not possible, enforce stricter permission checks on any endpoints that expose object identifiers, ensuring only authorized roles can access the corresponding content.
  • Review and tighten role‑based access controls within WordPress to prevent unauthorized content retrieval via direct IDs.

Generated by OpenCVE AI on April 16, 2026 at 07:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}

Tue, 27 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes innovio
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes innovio
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Innovio innovio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Innovio: from n/a through <= 1.7.
Title WordPress Innovio theme <= 1.7 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References

Subscriptions

Mikado-themes Innovio
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:56:20.045Z

Reserved: 2026-01-07T12:21:56.448Z

Link: CVE-2026-22404

cve-icon Vulnrichment

Updated: 2026-01-27T17:44:52.151Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:33.553

Modified: 2026-04-28T19:36:34.920

Link: CVE-2026-22404

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T08:00:11Z

Weaknesses