Description
Incorrect Privilege Assignment vulnerability in uxper Golo golo allows Privilege Escalation.This issue affects Golo: from n/a through <= 1.7.0.
Published: 2026-03-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation in WordPress Golo theme
Action: Immediate Patch
AI Analysis

Impact

A flaw in the Golo WordPress theme assigns incorrect privileges, allowing an attacker to gain higher administrative rights on the site. The vulnerability can enable the creation of new admin accounts or modification of existing ones, giving the attacker full control over site content, settings, and potentially the underlying server environment. The weakness is classified as a privilege escalation vulnerability.

Affected Systems

Any WordPress installation that uses the uxper Golo theme version 1.7.0 or earlier is affected. All releases prior to and including 1.7.0 are vulnerable, regardless of the WordPress core version. Site administrators should review their theme usage to determine if the Golo theme is in use and whether it meets the version threshold.

Risk and Exploitability

The CVSS score of 9.8 indicates a severe impact, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed public exploits. Based on the description, the attack vector likely involves access to the WordPress admin interface or uploading a modified theme file; the exact conditions are not detailed, so the assessment relies on inference from the privilege escalation nature of the fault.

Generated by OpenCVE AI on March 27, 2026 at 16:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Golo theme to the latest version available, or uninstall the theme if no newer release exists.
  • If an update is unavailable, replace the theme with a vetted alternative.
  • Verify that all user accounts have the appropriate minimum roles and that no unintended users have administrator privileges.
  • Monitor the site for unauthorized role changes or new admin users and enforce least‑privilege principles.
  • Check the vendor or community forums for any additional recommendations or patches.

Generated by OpenCVE AI on March 27, 2026 at 16:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Uxper
Uxper golo
Wordpress
Wordpress wordpress
Vendors & Products Uxper
Uxper golo
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in uxper Golo golo allows Privilege Escalation.This issue affects Golo: from n/a through <= 1.7.0.
Title WordPress Golo theme <= 1.7.0 - Privilege Escalation vulnerability
Weaknesses CWE-266
References

Subscriptions

Uxper Golo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:10.342Z

Reserved: 2026-02-17T13:23:30.505Z

Link: CVE-2026-27051

cve-icon Vulnrichment

Updated: 2026-03-27T13:28:42.359Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:54.390

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-27051

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:19Z

Weaknesses