Description
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Overton overton allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Overton: from n/a through <= 1.3.
Published: 2026-01-22
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via IDOR
Action: Patch Promptly
AI Analysis

Impact

The Mikado‑Themes Overton WordPress theme contains an authorization bypass through user‑controlled key vulnerability, allowing attackers to manipulate identifiers to access, modify, or delete content or files that should be restricted to privileged users. This flaw corresponds to CWE‑639 and can result in exposure of confidential data and tampering of site content.

Affected Systems

All installations of the Overton theme from the earliest release through version 1.3 on WordPress sites are affected. Any site that has not applied a newer version of the theme remains vulnerable.

Risk and Exploitability

The CVSS v3.1 score is 5.4, indicating moderate severity. The EPSS score is below 1 %, suggesting a very low current likelihood of exploitation, and the vulnerability is not listed in one of the KEV catalogs. Based on the description, it is inferred that an attacker can exploit the flaw by crafting HTTP requests to the theme’s endpoints without needing advanced authentication. While exploitation is straightforward from a technical standpoint, the lack of publicly disclosed exploits and the low EPSS reduce the immediate urgency, yet timely patching is still prudent.

Generated by OpenCVE AI on April 16, 2026 at 17:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Mikado‑Themes Overton theme to the latest available release (≥1.4) to eliminate the IDOR flaw.
  • If an immediate update is not feasible, restrict access to the theme’s vulnerable URLs by configuring the web server or firewall to block requests containing disallowed object identifiers.
  • Review and tighten WordPress user role definitions to limit permissions for content that should not be exposed, and enable logging to detect unauthorized attempts to access the theme’s resources.

Generated by OpenCVE AI on April 16, 2026 at 17:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}

Tue, 27 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes overton
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes overton
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Overton overton allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Overton: from n/a through <= 1.3.
Title WordPress Overton theme <= 1.3 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References

Subscriptions

Mikado-themes Overton
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:56:36.673Z

Reserved: 2026-01-07T12:21:56.448Z

Link: CVE-2026-22406

cve-icon Vulnrichment

Updated: 2026-01-27T18:37:42.452Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:33.673

Modified: 2026-04-28T19:36:35.090

Link: CVE-2026-22406

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:00:11Z

Weaknesses