{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25460", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:53.793Z", "datePublished": "2026-03-25T16:14:51.015Z", "dateUpdated": "2026-03-25T16:14:51.015Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "ave-core", "product": "Ave Core", "vendor": "LiquidThemes", "versions": [{"lessThanOrEqual": "<= 2.9.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Rafie Muhammad | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:30.260Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in LiquidThemes Ave Core ave-core allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Ave Core: from n/a through <= 2.9.1.</p>"}], "value": "Missing Authorization vulnerability in LiquidThemes Ave Core ave-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ave Core: from n/a through <= 2.9.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:51.015Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ave-core/vulnerability/wordpress-ave-core-plugin-2-9-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Ave Core plugin <= 2.9.1 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in LiquidThemes Ave Core ave-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ave Core: from n/a through <= 2.9.1."}], "id": "CVE-2026-25460", "lastModified": "2026-03-25T17:16:52.147", "metrics": {}, "published": "2026-03-25T17:16:52.147", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ave-core/vulnerability/wordpress-ave-core-plugin-2-9-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:49:29.020063+00:00", "value": {"mitigation_remediation": ["Update the Ave Core plugin to a version newer than 2.9.1 once the vendor releases a patch. If a newer version is unavailable, disable the Ave Core plugin until an update is available. Monitor the vendor\u2019s release notes and security advisories for a future fix."], "summary": {"action": "Immediate Patch", "impact": "Broken access control enabling unauthorized privilege escalation within WordPress via the Ave Core plugin"}, "threat_synthesis": {"affected_systems": "The issue affects the LiquidThemes Ave Core plugin for WordPress, version 2.9.1 and earlier. Administrators running this plugin on any WordPress installation are susceptible until a newer version is installed.", "description_and_impact": "The vulnerability is a missing authorization flaw in the Ave Core WordPress plugin that allows attackers to exploit incorrectly configured access control security levels. This flaw permits an adversary to gain unauthorized access to restricted administrative functions or modify plugin settings beyond their legitimate privileges, potentially compromising the confidentiality, integrity, and availability of the affected WordPress site.", "risk_and_exploitability": "Because the CVE entry does not provide an EPSS score or a KEV listing, the explicit likelihood of exploitation is unknown. The nature of the flaw suggests that an attacker can remotely exploit it via the web interface, assuming they can reach the plugin\u2019s administrative endpoints. The lack of an official mitigation means that the risk relies on the organization\u2019s ability to apply a patch or mitigate the exposure. Organizations with permissive permissions for plugin management in the WordPress dashboard are the most likely to be impacted."}}}}, "created": "2026-03-25T21:44:20.011206+00:00", "updated": "2026-03-25T21:44:20.011240+00:00", "vendors": []}