Description
Subscriber Broken Access Control in Martfury - WooCommerce Marketplace WordPress Theme <= 3.2.8 versions.
Published: 2026-07-02
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows a subscriber user to bypass access controls within the Martfury theme. The flaw is a broken access control condition that enables subscribers to perform actions intended only for higher‑privileged roles. The impact is limited to privilege escalation within the theme’s functionality, potentially exposing sensitive data or altering marketplace settings. The weakness is classified as CWE‑862, indicating improper authorization.

Affected Systems

Martfury – WooCommerce Marketplace WordPress Theme by drfuri. Versions 3.2.8 and earlier are affected. Upgrading to any release newer than 3.2.8 removes the flaw.

Risk and Exploitability

The CVSS score of 4.3 indicates a low to moderate severity. Because the EPSS score is not available, the current exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog, suggesting no known large‑scale exploitation. It likely requires an authenticated subscriber account and access to protected theme views, so the attack vector is local or web‑based with user credentials. Exploitation would enable an attacker to gain elevated privileges within the Martfury theme but would not globally compromise the WordPress installation.

Generated by OpenCVE AI on July 3, 2026 at 13:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Martfury theme to the latest version (3.3.0 or later).
  • If an upgrade is not feasible, use a role‑management plugin to remove or restrict the capabilities that the flaw exposes from the subscriber role.
  • Conduct a security review of all user roles and capabilities to ensure no other roles are granted unintended permissions.

Generated by OpenCVE AI on July 3, 2026 at 13:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Subscriber Broken Access Control in Martfury - WooCommerce Marketplace WordPress Theme <= 3.2.8 versions.
Title WordPress Martfury - WooCommerce Marketplace WordPress theme theme <= 3.2.8 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T12:41:48.874Z

Reserved: 2026-06-25T08:03:42.567Z

Link: CVE-2026-57685

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T13:30:13Z

Weaknesses