Description
Missing Authorization vulnerability in themebeez Cream Blog cream-blog allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cream Blog: from n/a through <= 2.1.7.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Missing Authorization
Action: Patch
AI Analysis

Impact

Missing authorization in the Cream Blog theme allows a user to access restricted functions that should only be available to privileged administrators. The vulnerability is a classic example of CWE‑862, Privilege‑Escalation, where incorrect access control permits expansion of user rights leading to potential data exposure and manipulation of site content. The scope of impact extends to any WordPress site that has installed the affected theme, potentially compromising the integrity of the entire site content and configuration.

Affected Systems

WordPress sites using the Cream Blog theme from themebeez, specifically versions up through 2.1.7. The vulnerability is present in all earlier releases, and any site that has not upgraded past this release is affected.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate risk, and the EPSS score of less than 1% suggests a low likelihood of current exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further indicating limited exploitation reports. Based on the description, the attack vector is likely web‑based, requiring a user with some form of authenticated access to knowledge of the theme’s administrative interfaces. An attacker may then gain escalated privileges by accessing or modifying protected theme settings or content.

Generated by OpenCVE AI on April 9, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Cream Blog theme to version 2.1.8 or later.
  • If an upgrade is not possible immediately, disable the theme’s administrative pages using WordPress role management or .htaccess rules.
  • Monitor administrative activity for signs of unauthorized changes.
  • Verify that no deprecated or legacy theme files remain on the server.

Generated by OpenCVE AI on April 9, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Themebeez
Themebeez cream Blog
Wordpress
Wordpress wordpress
Vendors & Products Themebeez
Themebeez cream Blog
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in themebeez Cream Blog cream-blog allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cream Blog: from n/a through <= 2.1.7.
Title WordPress Cream Blog theme <= 2.1.7 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Themebeez Cream Blog
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-09T15:31:38.730Z

Reserved: 2026-04-07T10:57:48.107Z

Link: CVE-2026-39648

cve-icon Vulnrichment

Updated: 2026-04-09T15:31:08.463Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:35.753

Modified: 2026-04-24T18:06:24.707

Link: CVE-2026-39648

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:40:44Z

Weaknesses