Description
Missing Authorization vulnerability in peregrinethemes Shopwell shopwell allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shopwell: from n/a through <= 1.0.11.
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch Now
AI Analysis

Impact

The Shopwell theme contains a missing authorization flaw that allows attackers to exploit incorrectly configured access control security levels. This missing authorization, identified by CWE-862, indicates that certain actions performed through the theme's administrative interface may bypass required permission checks. The CVE description does not specify whether these actions expose read or modify capabilities, so the potential impact remains uncertain but could affect the confidentiality, integrity, or availability of the hosted WordPress site.

Affected Systems

WordPress sites that use the Shopwell theme version 1.0.11 or earlier are affected. The issue applies to all deployments of the vulnerable theme versions prior to the fix and is not limited to any particular WordPress installation.

Risk and Exploitability

The CVSS score of 5.3 reflects medium severity, and the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to access theme‑related administrative endpoints, but the specific privilege level required for exploitation is not detailed. The likely attack vector involves accessing theme configuration pages that lack proper access checks, and exploitation would typically require only the presence of the theme.

Generated by OpenCVE AI on April 17, 2026 at 18:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Shopwell theme to a version newer than 1.0.11.
  • If an immediate upgrade is not practical, deactivate the Shopwell theme or switch to an alternative theme until the issue is resolved.
  • Ensure that all theme‑related administrative pages enforce role‑based access controls, or temporarily restrict access to these pages until the update is applied.

Generated by OpenCVE AI on April 17, 2026 at 18:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Peregrinethemes
Peregrinethemes shopwell
Wordpress
Wordpress wordpress
Vendors & Products Peregrinethemes
Peregrinethemes shopwell
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in peregrinethemes Shopwell shopwell allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shopwell: from n/a through <= 1.0.11.
Title WordPress Shopwell theme <= 1.0.11 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Peregrinethemes Shopwell
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:48.484Z

Reserved: 2026-02-02T12:52:29.367Z

Link: CVE-2026-25333

cve-icon Vulnrichment

Updated: 2026-02-19T21:20:23.852Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:18.040

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25333

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:15:26Z

Weaknesses