Description
Missing Authorization vulnerability in LiquidThemes Ave Core ave-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ave Core: from n/a through <= 2.9.1.
Published: 2026-03-25
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows attackers to exploit incorrectly configured access control security levels in the Ave Core plugin. Because the plugin’s administrative functions are not properly protected, an attacker could gain unauthorized access to protected configuration settings or other sensitive functionality provided by the plugin, potentially enabling further misuse of the WordPress site.

Affected Systems

All installations of the Ave Core plugin from the first released version through version 2.9.1 are affected. Site administrators who use this plugin on WordPress should identify whether those specific plugin versions are in use and ensure that the plugin is updated or removed.

Risk and Exploitability

The CVSS score of 6.3 places this vulnerability in the medium severity range, and the EPSS score of less than 1% together with the absence from the CISA KEV catalog indicate that the likelihood of active exploitation is currently low. Nevertheless, the flaw can be leveraged by users with limited site privileges to access privileged plugin pages, which may lead to unauthorized configuration changes or disclosure of protected data. Attackers would likely traverse the plugin’s administrative interface; however, detailed exploitation steps are not supplied in the description, so the risk assessment is based on the nature of the broken access control.

Generated by OpenCVE AI on March 27, 2026 at 16:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ave Core plugin to the latest version that resolves the access control issue (versions newer than 2.9.1).
  • If an upgrade is not immediately possible, disable the plugin entirely to block access to its vulnerable functionality.
  • Review and audit the plugin’s configured permissions and restrict administrative access to trusted users only.

Generated by OpenCVE AI on March 27, 2026 at 16:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Liquidthemes
Liquidthemes ave Core
Wordpress
Wordpress wordpress
Vendors & Products Liquidthemes
Liquidthemes ave Core
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in LiquidThemes Ave Core ave-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ave Core: from n/a through <= 2.9.1.
Title WordPress Ave Core plugin <= 2.9.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Liquidthemes Ave Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-27T13:47:28.673Z

Reserved: 2026-02-02T12:53:53.793Z

Link: CVE-2026-25460

cve-icon Vulnrichment

Updated: 2026-03-27T13:31:57.071Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:52.147

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25460

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:19Z

Weaknesses