Description
Missing Authorization vulnerability in wpcoachify Coachify coachify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Coachify: from n/a through <= 1.1.5.
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Patch Now
AI Analysis

Impact

The Coachify theme contains a missing authorization flaw that allows attackers to bypass its intended access controls. By exploiting incorrectly configured security levels, a user can invoke administrative or protected functions without proper permission checks. This flaw can lead to unauthorized access to data or functionality that should be restricted, potentially exposing sensitive information or allowing further compromise of the WordPress site.

Affected Systems

WordPress installations that utilize the Coachify theme from wpcoachify, with versions up to and including 1.1.5. Any deployment that has not applied a newer release or an available vendor patch is susceptible.

Risk and Exploitability

The CVSS base score of 5.3 indicates medium severity, while the EPSS score of less than 1% suggests that exploitation is presently uncommon. The vulnerability is not listed in CISA’s KEV catalog, and no public exploits are known at this time. The likely attack vector is remote over the web, where an unauthenticated or low‑privileged user can interact with the theme’s functions without encountering proper permission checks. Based on the description, it is inferred that the flaw could be leveraged from a web browser or via automated HTTP requests to the site’s front‑end or admin endpoints.

Generated by OpenCVE AI on April 16, 2026 at 16:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Coachify theme to a version newer than 1.1.5 or apply any vendor‑supplied patch that addresses the missing authorization check.
  • If an upgrade is not immediately possible, restrict access to the theme’s administrative features by assigning appropriate WordPress capabilities or removing those capabilities from all non‑administrator roles.
  • Review the WordPress role capabilities and remove or audit any permissions that the theme grants to roles that should not have them, ensuring that only administrators can invoke the controlled functions.

Generated by OpenCVE AI on April 16, 2026 at 16:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpcoachify
Wpcoachify coachify
Vendors & Products Wordpress
Wordpress wordpress
Wpcoachify
Wpcoachify coachify

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in wpcoachify Coachify coachify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Coachify: from n/a through <= 1.1.5.
Title WordPress Coachify theme <= 1.1.5 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Wpcoachify Coachify
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:48.802Z

Reserved: 2026-02-02T12:52:37.307Z

Link: CVE-2026-25336

cve-icon Vulnrichment

Updated: 2026-02-19T21:18:08.332Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:18.320

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25336

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:00:09Z

Weaknesses