Description
Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KuteShop: from n/a through <= 4.2.9.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via arbitrary shortcode injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from missing authorization checks in the KuteShop theme, allowing an attacker to insert and execute arbitrary shortcodes. These shortcodes are processed with the full privileges of the WordPress site, meaning that injected code could read, modify, or delete data and potentially compromise the entire site. The weakness corresponds to CWE-862, reflecting an access control failure that enables unauthorized code execution.

Affected Systems

WordPress sites running the KuteShop theme version 4.2.9 or earlier, specifically the version series <=4.2.9, are impacted. The issue originates in the KuteShop theme released by the Kutethemes vendor. No specific patches are listed in the provided references, but the problem exists across all builds up to and including 4.2.9.

Risk and Exploitability

The CVSS score and EPSS probability are not supplied, so the precise numerical severity is unknown. The vulnerability is not listed in the KEV catalog, indicating that no publicly known exploitation instances exist at this time. Nonetheless, because the flaw allows arbitrary code execution with the permissions of the site, the potential damage is high, especially if an attacker can reach the site without authentication. Without a documented exploit, the risk remains theoretical but credible, warranting urgent remediation.

Generated by OpenCVE AI on April 8, 2026 at 09:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the KuteShop theme to the latest version that fixes the access control issue. If a newer release is unavailable, consider disabling or restricting shortcode processing for unauthenticated users. Monitor site logs for unexpected shortcode activity and review user permissions to ensure only trusted administrators can add or customize shortcodes.

Generated by OpenCVE AI on April 8, 2026 at 09:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Kutethemes
Kutethemes kuteshop
Wordpress
Wordpress wordpress
Vendors & Products Kutethemes
Kutethemes kuteshop
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KuteShop: from n/a through <= 4.2.9.
Title WordPress KuteShop theme <= 4.2.9 - Arbitrary Shortcode Execution vulnerability
Weaknesses CWE-862
References

Subscriptions

Kutethemes Kuteshop
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:23.931Z

Reserved: 2026-04-07T10:48:55.140Z

Link: CVE-2026-39612

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:30.760

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39612

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:42:05Z

Weaknesses