Description
Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects HAPPY: from n/a through 1.0.10.
Published: 2026-05-21
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that enables users with insufficient privileges to perform restricted actions within the VillaTheme HAPPY plugin. By bypassing the plugin’s access control, an attacker could view, edit, or delete support tickets and other ticket‑related data. This flaw is identified as CWE‑862, which represents an improper restriction of authorization.

Affected Systems

Hosts running WordPress with the HAPPY plugin version 1.0.10 or earlier are affected. Any installation that has not applied the later version 1.0.11 or higher is susceptible, regardless of the underlying WordPress or operating system version.

Risk and Exploitability

The CVSS score of 6.5 reflects a medium severity risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that, while meaningful, it has not yet been widely reported as a target for active exploitation. Based on the nature of the plugin, the likely attack vector is via the web interface of the affected WordPress site, but this is inferred rather than stated explicitly in the source data.

Generated by OpenCVE AI on May 21, 2026 at 18:53 UTC.

Remediation

Vendor Solution

Update the WordPress HAPPY Plugin to the latest available version (at least 1.0.11).

OpenCVE Recommended Actions

  • Update the VillaTheme HAPPY plugin to the latest available version (at least 1.0.11).
  • Ensure that WordPress user roles and capabilities are correctly configured so that only authorized users have ticket management permissions.
  • Disable or remove any unused administrative routes or endpoints exposed by the plugin to limit potential exploitation paths.

Generated by OpenCVE AI on May 21, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Villatheme
Villatheme happy
Wordpress
Wordpress wordpress
Vendors & Products Villatheme
Villatheme happy
Wordpress
Wordpress wordpress

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HAPPY: from n/a through 1.0.10.
Title WordPress HAPPY plugin <= 1.0.10 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Villatheme Happy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-21T19:30:53.577Z

Reserved: 2026-04-07T10:48:50.115Z

Link: CVE-2026-39593

cve-icon Vulnrichment

Updated: 2026-05-21T19:29:32.404Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T18:16:17.203

Modified: 2026-05-21T19:10:36.607

Link: CVE-2026-39593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T19:00:14Z

Weaknesses