Description
Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sweet Jane: from n/a through <= 1.2.
Published: 2026-01-22
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Update Theme
AI Analysis

Impact

Elated-Themes Sweet Jane contains an Authorization Bypass Through User‑Controlled Key flaw that enables an attacker to bypass proper access control checks. This IDOR vulnerability may allow the attacker to retrieve or modify protected content that should not be reachable by their user level, compromising confidentiality and integrity of pages or media managed by the theme. The weakness is classified as CWE‑639.

Affected Systems

The flaw affects the Sweet Jane WordPress theme from the earliest available build through version 1.2. All installations of Sweet Jane up to and including 1.2 are vulnerable when deployed on a WordPress site without additional layer of access restriction.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote web request that manipulates a user‑controlled key or URL parameter to access protected resources.

Generated by OpenCVE AI on April 16, 2026 at 17:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Sweet Jane theme to the latest release, which contains the security fix for the IDOR issue.
  • Ensure WordPress role‑based access controls are configured so that only authorized users can reference the hierarchical objects exposed by the theme.
  • If an immediate update is not possible, block or sanitize the specific URL patterns or query parameters used by the theme to expose objects, preventing direct object reference exploitation.

Generated by OpenCVE AI on April 16, 2026 at 17:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Mon, 26 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sweet Jane: from n/a through <= 1.2.
Title WordPress Sweet Jane theme <= 1.2 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:02.661Z

Reserved: 2026-01-07T12:22:06.512Z

Link: CVE-2026-22426

cve-icon Vulnrichment

Updated: 2026-01-26T20:45:30.988Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:34.153

Modified: 2026-04-23T15:36:30.817

Link: CVE-2026-22426

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:00:11Z

Weaknesses