Description
Missing Authorization vulnerability in wproyal Ashe ashe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe: from n/a through <= 2.266.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Broken access control allowing unauthorized privilege escalation
Action: Patch immediately
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the WordPress Ashe theme that permits incorrectly configured access control security levels. As a result, an attacker can gain unauthorized access to privileged functions, potentially exposing data or gaining control over site settings. This weakness is classified as CWE-862, indicating improper restriction of resources or privileges.

Affected Systems

The affected product is the Ashe theme by the wproyal vendor. All releases from the earliest available version up to and including version 2.266 are impacted. The theme is widely used within WordPress installations.

Risk and Exploitability

No CVSS, EPSS, or KEV data are provided, leaving the precise severity and exploitation likelihood unclear. However, the issue is a classic access‑control flaw, and the likely attack vector is through web requests to the theme’s administrative interfaces. Until a patch or newer version is applied, the risk of an attacker exploiting this vulnerability remains high.

Generated by OpenCVE AI on April 8, 2026 at 09:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ashe theme to a version newer than 2.266 to eliminate the flaw.
  • Verify that the update contains the security fix by reviewing the change log or vendor announcement.
  • If an immediate update is not feasible, switch to a different, trusted theme or the default WordPress theme until the vulnerability is resolved.

Generated by OpenCVE AI on April 8, 2026 at 09:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wproyal
Wproyal ashe
Vendors & Products Wordpress
Wordpress wordpress
Wproyal
Wproyal ashe

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in wproyal Ashe ashe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe: from n/a through <= 2.266.
Title WordPress Ashe theme <= 2.266 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Wproyal Ashe
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:27.618Z

Reserved: 2026-04-07T10:57:36.651Z

Link: CVE-2026-39627

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:33.080

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39627

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:41:48Z

Weaknesses