Description
Missing Authorization vulnerability in vowelweb VW Pet Shop vw-pet-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Pet Shop: from n/a through <= 1.4.7.
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch Now
AI Analysis

Impact

The vulnerability is a missing authorization flaw (CWE-862) in the vowelweb VW Pet Shop WordPress theme that allows attackers to use incorrectly configured access control security levels. This flaw can enable users with no proper privileges to invoke functions or endpoints that are intended for higher‑privilege roles, potentially compromising the confidentiality or integrity of site data and allowing unauthorized changes or accesses.

Affected Systems

WordPress sites that have the vowelweb VW Pet Shop theme installed with a version of 1.4.7 or earlier. The affected range is "from n/a through <= 1.4.7", meaning all releases up to and including 1.4.7 are vulnerable.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. The EPSS score is less than 1%, suggesting low current exploit probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, via web‑based requests to the theme’s endpoints or admin functions that should be protected. Based on the description, the vulnerability can be exploited by sending crafted HTTP requests to trigger privileged actions without proper authorization.

Generated by OpenCVE AI on March 19, 2026 at 16:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the VW Pet Shop theme to a version newer than 1.4.7, if available.
  • After upgrading, verify that theme‑related admin interfaces and functions are only accessible by users with appropriate roles.
  • If an update is not currently available, restrict direct access to vulnerable theme files by adjusting file permissions and removing any unnecessary public entry points.
  • Enable logging and monitoring of unauthorized access attempts to detect potential exploitation.

Generated by OpenCVE AI on March 19, 2026 at 16:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Vowelweb
Vowelweb vw Pet Shop
Wordpress
Wordpress wordpress
Vendors & Products Vowelweb
Vowelweb vw Pet Shop
Wordpress
Wordpress wordpress

Sun, 15 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in vowelweb VW Pet Shop vw-pet-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Pet Shop: from n/a through <= 1.4.7.
Title WordPress VW Pet Shop theme <= 1.4.7 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Vowelweb Vw Pet Shop
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:16.403Z

Reserved: 2026-03-12T11:11:30.947Z

Link: CVE-2026-32435

cve-icon Vulnrichment

Updated: 2026-03-13T18:46:29.561Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:55:03.357

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32435

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:03:29Z

Weaknesses