Description
Missing Authorization vulnerability in acmethemes Education Base education-base allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Education Base: from n/a through <= 3.0.8.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Apply Patch
AI Analysis

Impact

Missing authorization controls in AcmeThemes Education Base theme version 3.0.8 and earlier allow an attacker to bypass protected areas of a WordPress site, enabling unauthorized access to view, edit, or delete content. This weakness, identified as CWE‑862, compromises data confidentiality, integrity, and potentially availability by permitting users without proper credentials to interact with sensitive theme configuration pages.

Affected Systems

The vulnerable product is AcmeThemes Education Base, a WordPress theme. All releases from the earliest public version through version 3.0.8 are affected. Site owners using any of these versions face potential unauthorized access to theme settings and content.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, indicating a moderate severity. The EPSS score is below 1 %, suggesting a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. The likely attack vector is remote, involving crafted HTTP requests to the theme’s configuration or options pages, which bypass access controls and allow unauthenticated or improperly authenticated users to manipulate site content.

Generated by OpenCVE AI on April 13, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Education Base theme to the latest version that addresses the access control issue.
  • If an upgrade is not possible, remove or deactivate the theme to eliminate the vulnerability.
  • Verify that all other themes and plugins are up to date and review site permissions for any custom roles that could inadvertently gain elevated rights.

Generated by OpenCVE AI on April 13, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Acmethemes
Acmethemes education Base
Wordpress
Wordpress wordpress
Vendors & Products Acmethemes
Acmethemes education Base
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in acmethemes Education Base education-base allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Education Base: from n/a through <= 3.0.8.
Title WordPress Education Base theme <= 3.0.8 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Acmethemes Education Base
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.641Z

Reserved: 2026-04-07T10:57:27.974Z

Link: CVE-2026-39622

cve-icon Vulnrichment

Updated: 2026-04-13T18:19:33.319Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:32.410

Modified: 2026-04-24T18:06:58.907

Link: CVE-2026-39622

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:39:01Z

Weaknesses