Description
Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Metro Magazine: from n/a through 1.4.1.
Published: 2026-06-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a missing authorization flaw in the Metro Magazine theme provided by Rara Themes. Because the theme’s access control levels are improperly configured, users who should not have access to certain administrative or content areas can potentially read or modify protected data. The weakness corresponds to CWE-862 and can lead to unauthorized disclosure, modification, or tampering of WordPress content without proper authentication.

Affected Systems

All installations of the Metro Magazine theme from the first releasing version through version 1.4.1 are affected. The issue applies to Rara Themes’ Metro Magazine product. Any WordPress site using a version older than 1.4.2 is potentially vulnerable.

Risk and Exploitability

The severity as calculated by CVSS is 6.5, indicating a moderate risk. The EPSS score of less than 1% suggests a low probability of exploit, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be through the web interface of the WordPress site, where an unauthenticated or minimally privileged user could exploit the missing authorization to gain access to restricted functions. Because the flaw lies in access control, exploitation would require leveraging any existing permissions associated with a user account, or may be possible without authentication if the theme exposes protected endpoints without checks.

Generated by OpenCVE AI on June 16, 2026 at 20:06 UTC.

Remediation

Vendor Solution

Update the WordPress Metro Magazine Theme to the latest available version (at least 1.4.2).

OpenCVE Recommended Actions

  • Install the latest version of the Metro Magazine theme (1.4.2 or newer) to address the broken access control flaw.
  • If an immediate update is not possible, restrict access to the theme’s settings by assigning higher role requirements or by using a role‑based access control plugin.
  • Verify that the WordPress installation, all plugins, and core files have the appropriate file permissions and are up to date to prevent other related vulnerabilities from being combined with this flaw.

Generated by OpenCVE AI on June 16, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.4.1.
Title WordPress Metro Magazine theme <= 1.4.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T14:54:55.049Z

Reserved: 2026-04-15T09:21:11.865Z

Link: CVE-2026-40809

cve-icon Vulnrichment

Updated: 2026-06-16T14:54:50.760Z

cve-icon NVD

Status : Deferred

Published: 2026-06-16T10:16:27.490

Modified: 2026-06-16T14:52:36.287

Link: CVE-2026-40809

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:15:16Z

Weaknesses