Description
Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Magazine X: from n/a through <= 1.2.50.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Administrative Access
Action: Patch
AI Analysis

Impact

The News Magazine X theme contains a missing authorization check that permits the exploitation of incorrectly configured access control levels. Attackers could gain unauthorized access to functions that should be restricted to administrators, potentially enabling the modification or deletion of site content or settings. This flaw is a classic example of broken access control (CWE‑862).

Affected Systems

WordPress sites that have the News Magazine X theme version 1.2.50 or earlier are affected. Versions beyond 1.2.50 have ceased support for this issue. The vulnerability does not impact WordPress core or other themes.

Risk and Exploitability

The CVSS score of 7.5 highlights a high severity issue, while the EPSS score of less than 1 % shows a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is web‑based, involving crafted HTTP requests to the theme’s administrative or public endpoints where the authorization check is missing; this inference is made because the description refers to a missing authorization in web interfaces. Exploitation would require access to these endpoints and a user interface that does not enforce proper permission checks.

Generated by OpenCVE AI on March 26, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the News Magazine X theme to the latest version available from the vendor.
  • Ensure that the upgrade has been applied and remove any older theme files from the WordPress installation.
  • Restrict access to theme configuration screens to only trusted administrators.
  • Verify that the theme’s URLs and API endpoints are protected by proper authentication and authorization checks.

Generated by OpenCVE AI on March 26, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp-royal-themes
Wp-royal-themes news Magazine X
Vendors & Products Wordpress
Wordpress wordpress
Wp-royal-themes
Wp-royal-themes news Magazine X

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Magazine X: from n/a through <= 1.2.50.
Title WordPress News Magazine X theme <= 1.2.50 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Wp-royal-themes News Magazine X
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:05.047Z

Reserved: 2026-01-22T14:42:40.516Z

Link: CVE-2026-24382

cve-icon Vulnrichment

Updated: 2026-03-26T19:39:12.223Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:38.237

Modified: 2026-04-23T15:36:45.113

Link: CVE-2026-24382

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:25Z

Weaknesses