Description
Missing Authorization vulnerability in SpabRice Mogi mogi allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mogi: from n/a through <= 1.2.3.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via WordPress shortcodes
Action: Immediate Patch
AI Analysis

Impact

The Mogi theme contains a missing authorization flaw that allows attackers to execute arbitrary WordPress shortcodes. If an attacker can submit a shortcode payload, they can run code on the server, potentially compromising confidentiality, integrity, and availability of the site. This weakness is categorized as a missing authorization control (CWE‑862).

Affected Systems

The vulnerability affects the SpabRice Mogi theme for WordPress versions up to and including 1.2.3. Any installation running version 1.2.3 or earlier is at risk; no newer versions are known to be affected.

Risk and Exploitability

The CVSS base score of 5.3 indicates a medium severity risk, while the EPSS score of less than 1 % suggests low likelihood of exploitation at present. The flaw is not listed in the CISA KEV catalog. Attackers are likely to exploit the flaw via the web interface that accepts shortcode inputs—such as a page or post editor—requiring the ability to deliver a crafted post or similar content. The description indicates missing authorization, so it is inferred that unauthenticated users or authors with minimal permissions may exploit the flaw; however, exact prerequisites are not detailed in the available data.

Generated by OpenCVE AI on April 9, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Mogi theme to a version newer than 1.2.3 if an update is available on the vendor’s website.
  • If an update is not available, remove or disable the Mogi theme to eliminate the vulnerability.
  • Verify that no custom shortcode handlers remain active in other parts of the WordPress installation, and consider implementing stricter shortcode permission checks if possible.

Generated by OpenCVE AI on April 9, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Spabrice
Spabrice mogi
Wordpress
Wordpress wordpress
Vendors & Products Spabrice
Spabrice mogi
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in SpabRice Mogi mogi allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mogi: from n/a through <= 1.2.3.
Title WordPress Mogi theme <= 1.2.3 - Arbitrary Shortcode Execution vulnerability
Weaknesses CWE-862
References

Subscriptions

Spabrice Mogi
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.931Z

Reserved: 2026-04-07T10:57:43.491Z

Link: CVE-2026-39637

cve-icon Vulnrichment

Updated: 2026-04-09T16:01:04.251Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:34.410

Modified: 2026-04-24T18:06:24.707

Link: CVE-2026-39637

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:40:49Z

Weaknesses