Description
Missing Authorization vulnerability in Select-Themes Prowess prowess allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Prowess: from n/a through <= 1.8.1.
Published: 2026-01-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Apply Patch
AI Analysis

Impact

Missing authorization in the Prowess theme for WordPress allows an attacker with insufficient privileges to perform privileged actions; the flaw lies in incorrect handling of access control levels and belongs to CWE-862, exposing the site to potential unauthorized data manipulation or administrative tampering.

Affected Systems

WordPress installations that use the Select-Themes Prowess theme version 1.8.1 or earlier are affected; any site that has not upgraded beyond 1.8.1 is vulnerable.

Risk and Exploitability

The flaw has a CVSS score of 4.3, indicating moderate severity, and an EPSS score below 1%, suggesting a low probability of exploitation; it is not listed in the CISA KEV catalog. Exploitation would likely depend on a user account with limited access being able to circumvent role checks, a scenario inferred from the description as the vulnerability involves incorrect configuration of access control security levels.

Generated by OpenCVE AI on April 28, 2026 at 18:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Select-Themes Prowess theme to a version newer than 1.8.1
  • Configure the web server or CMS to restrict direct access to theme files and directories
  • Re-implement role-based access checks on all theme-related administrative screens

Generated by OpenCVE AI on April 28, 2026 at 18:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 28 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Select-Themes Prowess prowess allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Prowess: from n/a through <= 1.8.1.
Title WordPress Prowess theme <= 1.8.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T17:11:59.335Z

Reserved: 2026-01-07T13:43:49.724Z

Link: CVE-2026-22447

cve-icon Vulnrichment

Updated: 2026-01-27T17:33:37.866Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:34.537

Modified: 2026-04-28T19:36:38.003

Link: CVE-2026-22447

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:15:37Z

Weaknesses