Description
Missing Authorization vulnerability in MVPThemes The League the-league allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The League: from n/a through <= 4.4.1.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Patch Now
AI Analysis

Impact

A missing authorization flaw in the MVPThemes The League WordPress theme allows attackers to bypass the intended access controls and perform actions normally restricted to authorized users. The vulnerability can enable arbitrary modification of theme options or content, potentially leading to defacement, loss of data integrity, or further compromise if the attacker escalates privileges. It is a classic Broken Access Control weakness as identified by its CWE classification.

Affected Systems

WordPress installations that have the MVPThemes The League theme version 4.4.1 or earlier installed are affected. Any site running any release of the theme from its initial distribution up through version 4.4.1 is vulnerable, regardless of other plugins or core WordPress version. The core platform itself is not directly impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score below 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers are likely to reach the flaw through the web interface, possibly through crafted URLs or form submissions that bypass authorization checks. Although exploitation is unlikely, the moderate impact on site integrity warrants timely remediation.

Generated by OpenCVE AI on March 26, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update The League theme to the latest patched version (4.5 or newer).
  • Verify that the old theme files are removed from the WP installation to prevent residual exploitation paths.

Generated by OpenCVE AI on March 26, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mvpthemes
Mvpthemes the League
Wordpress
Wordpress wordpress
Vendors & Products Mvpthemes
Mvpthemes the League
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in MVPThemes The League the-league allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The League: from n/a through <= 4.4.1.
Title WordPress The League theme <= 4.4.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Mvpthemes The League
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T16:50:46.129Z

Reserved: 2026-02-02T12:53:53.792Z

Link: CVE-2026-25454

cve-icon Vulnrichment

Updated: 2026-03-26T16:31:58.856Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:51.473

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:42Z

Weaknesses