Description
Missing Authorization vulnerability in ikreatethemes Business Roy business-roy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business Roy: from n/a through <= 1.1.4.
Published: 2026-02-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Missing Authorization leading to potential unauthorized actions
Action: Apply Patch
AI Analysis

Impact

A missing authorization flaw in the WordPress Business Roy theme allows an attacker to exploit incorrectly configured access control security levels. The vulnerability can enable users without proper privileges to perform actions normally reserved for higher‑privileged accounts, potentially affecting data integrity or confidentiality within the site. The weakness is identified as a broken access control issue (CWE‑862).

Affected Systems

The condition affects all installations of the Business Roy theme from the earliest release up through version 1.1.4. Users running any of those versions are susceptible; newer releases are not known to contain the flaw.

Risk and Exploitability

The CVSS score of 4.3 places the vulnerability in the moderate range, while an EPSS score of less than 1 % indicates a low predicted probability of exploitation at present. The vulnerability is not included in the CISA KEV list. The likely attack vector is via the WordPress administrative interface, inferred from the nature of the access‑control issue, although the description does not explicitly state it. An attacker would need access to the site’s backend to leverage the flaw, making the exploitation contingent on compromised credentials or remote code execution on the server.

Generated by OpenCVE AI on April 16, 2026 at 06:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Business Roy theme to a version newer than 1.1.4, which removes the access‑control weakness.
  • If upgrading immediately is not possible, re‑configure the theme or site to remove or disable any administrative features exposed by the theme that could be abused by unauthorised accounts.
  • Review and tighten WordPress user role permissions, ensuring that only users who truly need advanced capabilities are granted them, to reduce the potential impact of any remaining unelevated access issues.

Generated by OpenCVE AI on April 16, 2026 at 06:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Ikreatethemes
Ikreatethemes business Roy
Wordpress
Wordpress wordpress
Vendors & Products Ikreatethemes
Ikreatethemes business Roy
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in ikreatethemes Business Roy business-roy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business Roy: from n/a through <= 1.1.4.
Title WordPress Business Roy theme <= 1.1.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Ikreatethemes Business Roy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:54.096Z

Reserved: 2026-02-02T12:53:12.987Z

Link: CVE-2026-25395

cve-icon Vulnrichment

Updated: 2026-02-19T19:14:38.192Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:21.790

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25395

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:45:16Z

Weaknesses