The SmartFix theme contains a missing authorization flaw (CWE‑862) that allows an attacker to bypass properly configured access control levels. By exploiting this flaw, an unauthenticated or low‑privilege user can gain unexpected access to administrative functions or alter website content, thereby compromising the integrity and confidentiality of the WordPress site. This issue is identified as a broken access control vulnerability that enables unauthorized users to perform actions normally restricted to site administrators. The vulnerability can allow modification of theme settings, insertion of malicious code, or other actions that could facilitate further exploitation of the site. The flaw is present in all releases of SmartFix up to, but not including, version 1.2.4. The CVSS score is 5.4, indicating moderate severity, while the EPSS score is below 1%, suggesting a low likelihood of widespread exploitation. It is not listed in the CISA known exploited vulnerability catalog. The available description does not explicitly state the attack vector; however, based on the nature of the flaw and typical WordPress theme behavior, the attack is inferred to be remote and achievable through the web interface when the theme is active. No special environmental conditions or elevated privileges are required beyond normal site access.

The vulnerability affects the SmartFix theme developed by linethemes. All published versions before 1.2.4 are vulnerable; versions 1.2.4 and later are considered patched. No additional sub‑version details are provided in the advisory.

The CVSS score of 5.4 classifies the issue as moderate. EPSS below 1% indicates a low probability of exploitation, and the vulnerability is not present in CISA's KEV catalog. It is likely exploitable remotely via the website's interface when the theme is installed. Attackers could trigger the flaw by accessing or manipulating URLs or parameters that are protected by the theme's access control logic. The lack of required user credentials implies that unauthenticated users could leverage the flaw.