Description
Missing Authorization vulnerability in ThemeGrill ThemeGrill Demo Importer themegrill-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ThemeGrill Demo Importer: from n/a through <= 2.0.0.6.
Published: 2026-04-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access / Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the ThemeGrill Demo Importer WordPress plugin that allows an attacker to exploit incorrectly configured access control levels and perform administrative actions within the plugin without proper authentication, potentially exposing sensitive data or enabling further exploitation.

Affected Systems

ThemeGrill Demo Importer plugin for WordPress, all versions up to and including 2.0.0.6. The affected software is distributed under the name ThemeGrill Demo Importer; no additional version details beyond the upper bound are provided.

Risk and Exploitability

Based on the description, it is inferred that an attacker would target the plugin’s import endpoint by sending a crafted HTTP request directly to the import URL or via a form in the WordPress administrative interface. Because the flaw requires no authentication, it is inferred that any user who can reach the affected site—whether authenticated or not—could trigger the import action and access administrative capabilities. The missing authorization control (CWE-862) represents a high‑impact security weakness that can lead to full privilege escalation on the WordPress installation. The EPSS score is <1% and the CVSS score is 5.3, indicating a moderate risk that is currently not widely exploited.

Generated by OpenCVE AI on April 22, 2026 at 07:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ThemeGrill Demo Importer to the latest available version that addresses the access control flaw.
  • If an update is not yet available, disable the Demo Importer plugin or remove its import functionality until a patch is released.
  • Use a WordPress security plugin or an .htaccess rule to restrict access to the import endpoint so that only users with administrator privileges can invoke it.

Generated by OpenCVE AI on April 22, 2026 at 07:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Themegrill
Themegrill themegrill Demo Importer
Wordpress
Wordpress wordpress
Vendors & Products Themegrill
Themegrill themegrill Demo Importer
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in ThemeGrill ThemeGrill Demo Importer themegrill-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ThemeGrill Demo Importer: from n/a through <= 2.0.0.6.
Title WordPress ThemeGrill Demo Importer plugin <= 2.0.0.6 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Themegrill Themegrill Demo Importer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:04.755Z

Reserved: 2026-04-15T09:19:28.916Z

Link: CVE-2026-40730

cve-icon Vulnrichment

Updated: 2026-04-15T15:32:38.238Z

cve-icon NVD

Status : Deferred

Published: 2026-04-15T11:16:35.807

Modified: 2026-04-22T20:23:16.350

Link: CVE-2026-40730

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T07:45:11Z

Weaknesses