Description
Missing Authorization vulnerability in sparklewpthemes Hello FSE hello-fse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hello FSE: from n/a through <= 1.0.6.
Published: 2026-02-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Access Control
Action: Update Theme
AI Analysis

Impact

The vulnerability in the Hello FSE theme allows an attacker to bypass authorization checks and access theme configuration or content that should be restricted. This could enable unauthorized users to view, modify or delete theme settings, potentially affecting site integrity and confidentiality. The weakness is identified as CWE-862, indicating missing or incorrect inventory of who is allowed to perform certain operations.

Affected Systems

WordPress sites utilizing the SparkleWPThemes Hello FSE theme version 1.0.6 or earlier are affected. No specific WordPress core version is listed, but the issue applies to any deployment where the Hello FSE theme is active and the default access controls are in place.

Risk and Exploitability

The CVSS score of 4.3 denotes moderate risk, while the EPSS score of less than 1% indicates a low likelihood of exploitation at any given time. The vulnerability is not in the CISA KEV catalog, which further suggests limited evidence of widespread exploitation. Based on the description, it is inferred that attackers would need to target sites where the Hello FSE theme is installed and may exploit the broken access checks via normal user interaction or possibly through automated discovery of sensitive theme URLs. No remote code execution or privilege escalation is reported, so the primary threat is unauthorized access to theme configuration and possibly sensitive content.

Generated by OpenCVE AI on April 17, 2026 at 18:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Hello FSE theme to the latest available version, ensuring it is newer than 1.0.6, and verify the update against the vendor's release notes and checksum.
  • If no newer version is available, uninstall or disable the Hello FSE theme entirely to eliminate the vulnerable code.
  • Restrict access to theme configuration URLs so that only administrators can reach them, implementing role-based permissions or a suitable plugin; verify that no custom code overrides the default access checks.

Generated by OpenCVE AI on April 17, 2026 at 18:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Sparklewpthemes
Sparklewpthemes hello Fse
Wordpress
Wordpress wordpress
Vendors & Products Sparklewpthemes
Sparklewpthemes hello Fse
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in sparklewpthemes Hello FSE hello-fse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hello FSE: from n/a through <= 1.0.6.
Title WordPress Hello FSE theme <= 1.0.6 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Sparklewpthemes Hello Fse
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:57.665Z

Reserved: 2026-02-02T12:53:07.232Z

Link: CVE-2026-25393

cve-icon Vulnrichment

Updated: 2026-02-19T19:19:03.435Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:21.510

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25393

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:15:26Z

Weaknesses