Impact
The Flatsome theme for WordPress suffers from a broken access control flaw that permits users with the contributor role to perform actions beyond their intended privileges, such as modifying or deleting content. Because the theme lacks proper authorization checks, a contributor can alter site content in ways that compromise confidentiality, integrity, and availability of the site.
Affected Systems
All installations of the Flatsome theme version 3.20.5 or earlier on WordPress are affected. The issue is limited to the theme; core WordPress remains unaffected. Sites using versions newer than 3.20.5 are not vulnerable.
Risk and Exploitability
The CVSS score of 6.5 places this vulnerability in the medium severity range, and EPSS data is not available, so the likelihood of exploitation is unclear. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an authenticated contributor can exploit the missing authorization step; once logged in, the attacker can misuse the site’s content management features, making the attack path straightforward and easy to execute.
OpenCVE Enrichment