Description
Missing Authorization vulnerability in kutethemes Biolife biolife allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Biolife: from n/a through <= 3.2.3.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Shortcode Execution
Action: Immediate Patch
AI Analysis

Impact

The Kutethemes Biolife WordPress theme contains a missing authorization flaw that allows unauthenticated users to submit and execute arbitrary shortcodes. This misconfiguration in access controls lets the theme process any shortcode supplied, potentially injecting malicious code. The result can be content tampering, site defacement, or further compromise of the WordPress installation.

Affected Systems

WordPress sites using the Kutethemes Biolife theme version 3.2.3 or earlier are affected. The vulnerability applies to all releases from an undocumented initial release through version 3.2.3; newer releases beyond 3.2.3 are not affected. No other vendors or products are listed in the advisory.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the attack vector is through a public interface where an attacker submits a malicious shortcode, exploiting the theme's lack of access control to run code without authentication.

Generated by OpenCVE AI on April 13, 2026 at 23:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Kutethemes Biolife theme to a version newer than 3.2.3.
  • Verify that the new version prevents unauthenticated users from executing arbitrary shortcodes.
  • After upgrading, monitor the site and review server logs for abnormal shortcode activity.

Generated by OpenCVE AI on April 13, 2026 at 23:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Kutethemes
Kutethemes biolife
Wordpress
Wordpress wordpress
Vendors & Products Kutethemes
Kutethemes biolife
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in kutethemes Biolife biolife allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Biolife: from n/a through <= 3.2.3.
Title WordPress Biolife theme <= 3.2.3 - Arbitrary Shortcode Execution vulnerability
Weaknesses CWE-862
References

Subscriptions

Kutethemes Biolife
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.713Z

Reserved: 2026-04-07T10:57:36.650Z

Link: CVE-2026-39624

cve-icon Vulnrichment

Updated: 2026-04-13T18:19:29.793Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:32.673

Modified: 2026-04-29T10:17:32.717

Link: CVE-2026-39624

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:39:00Z

Weaknesses