Description
Missing Authorization vulnerability in UX-themes Flatsome flatsome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flatsome: from n/a through <= 3.19.6.
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Patch Now
AI Analysis

Impact

The vulnerability is a Missing Authorization flaw in the UX‑themes Flatsome WordPress theme. It allows attackers to exploit incorrectly configured access control security levels, bypassing intended restrictions. This can enable unauthorized access to administrative functions or sensitive site data. The weakness is categorized as CWE‑862, indicating Broken Access Control.

Affected Systems

UX‑themes:Flatsome are affected. All versions from n/a through 3.19.6 inclusive are vulnerable. Any site running Flatsome 3.19.6 or earlier is susceptible.

Risk and Exploitability

The CVSS score of 5.3 signals a moderate severity. The EPSS score is reported as less than 1%, suggesting low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would most likely need web access to the WordPress site’s administrative interface, and possibly a user account with elevated privileges, to exploit the broken access control. The attack vector is inferred to be remote (web‑based), as the exploit involves interacting with the theme’s configuration via the site’s front‑end or admin backend.

Generated by OpenCVE AI on March 19, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Flatsome theme to version 3.19.7 or later.
  • If an immediate upgrade is not possible, restrict Web access to the theme’s administrative area using file permissions or web‑server access controls (e.g., .htaccess rules, Nginx restrictions).
  • Monitor site logs for anomalous access attempts to theme files or administrative functions and review user roles regularly.

Generated by OpenCVE AI on March 19, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Uxthemes
Uxthemes flatsome
Wordpress
Wordpress wordpress
Vendors & Products Uxthemes
Uxthemes flatsome
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in UX-themes Flatsome flatsome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flatsome: from n/a through <= 3.19.6.
Title WordPress Flatsome theme <= 3.19.6 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Uxthemes Flatsome
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:50.848Z

Reserved: 2026-03-10T10:59:45.899Z

Link: CVE-2026-31915

cve-icon Vulnrichment

Updated: 2026-03-13T15:22:45.625Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:38.410

Modified: 2026-03-16T14:54:11.293

Link: CVE-2026-31915

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:30Z

Weaknesses