Description
Missing Authorization vulnerability in themebeez Orchid Store orchid-store allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Orchid Store: from n/a through <= 1.5.15.
Published: 2026-01-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via broken access control
Action: Patch Now
AI Analysis

Impact

The Orchid Store WordPress theme contains a missing authorization check that allows unauthorized users to access or modify restricted administrative functions. As a result, an attacker who gains access to the site could potentially view, edit, or delete sensitive data, thereby compromising the confidentiality and integrity of the WordPress installation. The weakness is classified as CWE-862: Missing Authorization.

Affected Systems

All installations of the Orchid Store theme from any earlier release up to and including version 1.5.15 are affected. Users of these versions should identify the installed version and confirm whether it precedes 1.5.16.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity; the EPSS score of less than 1% suggests a very low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Inference indicates that the attack can be carried out via the web interface without any special prerequisites other than network access to the WordPress site. Proper access control is therefore essential to mitigate this risk.

Generated by OpenCVE AI on April 16, 2026 at 01:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Orchid Store theme version 1.5.16 or later, which resolves the missing authorization flaw.
  • If an upgrade cannot be performed immediately, restrict exposure by disabling theme settings pages for non-admin users and limiting overall theme capabilities through WordPress role management.
  • Continuously monitor site logs for unusual administrative activity and apply the latest security patches to all WordPress components.

Generated by OpenCVE AI on April 16, 2026 at 01:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Themebeez
Themebeez orchid Store
Wordpress
Wordpress wordpress
Vendors & Products Themebeez
Themebeez orchid Store
Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in themebeez Orchid Store orchid-store allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Orchid Store: from n/a through <= 1.5.15.
Title WordPress Orchid Store theme <= 1.5.15 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Themebeez Orchid Store
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:25.477Z

Reserved: 2026-01-23T12:32:24.371Z

Link: CVE-2026-24612

cve-icon Vulnrichment

Updated: 2026-01-23T17:06:43.908Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:19.997

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24612

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:45:20Z

Weaknesses