Description
Missing Authorization vulnerability in uixthemes Sober sober allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sober: from n/a through <= 3.5.12.
Published: 2026-02-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control that permits unauthorized actions
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows exploitation of incorrectly configured access control levels. Attackers can bypass standard permission checks to gain unauthorized access to protected actions via the WordPress Sober theme. This flaw may enable the execution of privileged operations, potentially compromising the integrity and confidentiality of site data.

Affected Systems

The weakness affects the WordPress Sober theme built by uixthemes for all installations from any unreleased version through version 3.5.12. Any WordPress website that has not migrated to a newer, unpatched theme version is susceptible.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while an EPSS score below 1% signals a very low probability of real‑world exploitation. Because the flaw is not listed in the KEV catalog, no confirmed public exploit is known. The likely attack vector is via the web interface of the affected theme, requiring authenticated access or presence of a vulnerable configuration. The overall risk remains low due to the limited exploitation likelihood but can be significant if the attacker achieves elevated privileges.

Generated by OpenCVE AI on April 16, 2026 at 00:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Sober theme to a version newer than 3.5.12 once the vendor releases an official patch.
  • Verify that all administrative pages are protected by authentication and that only authorized users can access them.
  • Confirm that role‑based access controls enforce correct capabilities and restrict theme‑specific privileges to trusted users only.

Generated by OpenCVE AI on April 16, 2026 at 00:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Uixthemes
Uixthemes sober
Wordpress
Wordpress wordpress
Vendors & Products Uixthemes
Uixthemes sober
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in uixthemes Sober sober allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sober: from n/a through <= 3.5.12.
Title WordPress Sober theme <= 3.5.12 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Uixthemes Sober
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:58.937Z

Reserved: 2026-02-02T12:53:53.793Z

Link: CVE-2026-25459

cve-icon Vulnrichment

Updated: 2026-02-19T18:21:22.505Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:24.860

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25459

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:15:18Z

Weaknesses