Description
Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KuteShop: from n/a through <= 4.2.9.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Shortcode Execution
Action: Immediate Patch
AI Analysis

Impact

A missing authorization check in Kutethemes KuteShop allows the execution of any shortcode supplied through a web request. Because WordPress parses and evaluates shortcodes within the core platform, an attacker can inject arbitrary shortcode content that may execute custom PHP code, potentially compromising the integrity of the site and enabling further payloads. The flaw is rooted in the theme’s incorrect handling of access control security levels, which permits unauthorized shortcut execution.

Affected Systems

WordPress installations that use Kutethemes KuteShop version 4.2.9 or earlier are affected. Any site running the theme within that version range and that has its shortcode functionality enabled is at risk until an updated theme is deployed.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1 percent suggests a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog, implying no known active exploitation. Based on the description, the likely attack vector is an unauthenticated web request to a WordPress page that processes shortcodes; the attacker can supply arbitrary input without needing credentials.

Generated by OpenCVE AI on April 13, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the KuteShop theme to a version newer than 4.2.9 if a patch has been released.
  • If a patch is not immediately available, remove or disable the theme’s shortcode functionality that accepts arbitrary content until a fix can be applied.
  • Configure the theme’s access controls so that only authenticated administrators can execute shortcodes.
  • Review any plugins or custom code that rely on the shortcodes to ensure they are not exploited.
  • Monitor site logs for abnormal shortcode usage and consider deploying a web application firewall rule to block suspicious patterns.

Generated by OpenCVE AI on April 13, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Kutethemes
Kutethemes kuteshop
Wordpress
Wordpress wordpress
Vendors & Products Kutethemes
Kutethemes kuteshop
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KuteShop: from n/a through <= 4.2.9.
Title WordPress KuteShop theme <= 4.2.9 - Arbitrary Shortcode Execution vulnerability
Weaknesses CWE-862
References

Subscriptions

Kutethemes Kuteshop
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.606Z

Reserved: 2026-04-07T10:48:55.140Z

Link: CVE-2026-39612

cve-icon Vulnrichment

Updated: 2026-04-13T18:19:38.744Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:30.760

Modified: 2026-04-29T10:17:31.270

Link: CVE-2026-39612

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:39:39Z

Weaknesses