Description
Missing Authorization vulnerability in Select-Themes Don Peppe donpeppe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Don Peppe: from n/a through <= 1.3.
Published: 2026-01-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control allowing unauthorized access to theme functionality
Action: Patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the Don Peppe WordPress theme. Because access control checks are incorrectly configured, attackers can gain unauthorized access to theme management features, potentially modifying settings, uploading files, or creating content without permission. This weakness is categorized as CWE-862, indicating that the code fails to check for proper privileges before executing sensitive operations.

Affected Systems

The affected product is the Select‑Themes Don Peppe theme for WordPress, with all versions from the initial release up to and including 1.3 susceptible to the flaw.

Risk and Exploitability

The CVSS score of 4.3 rates the issue as low severity, and the EPSS score indicates a very small probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, where a web request targeting privileged theme endpoints bypasses authentication checks. While no confirmed public exploits exist, the possibility of abuse exists if the theme is installed in an otherwise secure environment.

Generated by OpenCVE AI on April 16, 2026 at 07:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Don Peppe theme to a version newer than 1.3 once the vendor releases a patched build.
  • If an update cannot be applied immediately, remove or deactivate the theme on all sites and clean up any lingering theme files to prevent accidental execution.
  • Configure the WordPress installation’s role and capability settings to restrict access to theme management—ensuring only administrators can modify theme options—and monitor logs for any anomalous access attempts.

Generated by OpenCVE AI on April 16, 2026 at 07:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Select-Themes Don Peppe donpeppe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Don Peppe: from n/a through <= 1.3.
Title WordPress Don Peppe theme <= 1.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:52.358Z

Reserved: 2026-01-07T13:43:49.724Z

Link: CVE-2026-22450

cve-icon Vulnrichment

Updated: 2026-01-27T17:32:23.108Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:34.663

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22450

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:45:06Z

Weaknesses