Description
Contributor Broken Access Control in Flatsome <= 3.20.5 versions.
Published: 2026-07-02
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Flatsome theme for WordPress suffers from a broken access control flaw that permits users with the contributor role to perform actions beyond their intended privileges, such as modifying or deleting content. Because the theme lacks proper authorization checks, a contributor can alter site content in ways that compromise confidentiality, integrity, and availability of the site.

Affected Systems

All installations of the Flatsome theme version 3.20.5 or earlier on WordPress are affected. The issue is limited to the theme; core WordPress remains unaffected. Sites using versions newer than 3.20.5 are not vulnerable.

Risk and Exploitability

The CVSS score of 6.5 places this vulnerability in the medium severity range, and EPSS data is not available, so the likelihood of exploitation is unclear. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an authenticated contributor can exploit the missing authorization step; once logged in, the attacker can misuse the site’s content management features, making the attack path straightforward and easy to execute.

Generated by OpenCVE AI on July 2, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Flatsome theme to the latest release (≥3.20.6).
  • Review and restrict contributor permissions by removing unnecessary capabilities.
  • Enable logging and monitoring to detect unauthorized content changes.

Generated by OpenCVE AI on July 2, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Contributor Broken Access Control in Flatsome <= 3.20.5 versions.
Title WordPress Flatsome theme <= 3.20.5 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T13:41:12.831Z

Reserved: 2026-06-25T08:04:20.944Z

Link: CVE-2026-57731

cve-icon Vulnrichment

Updated: 2026-07-02T13:41:09.027Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:15:03Z

Weaknesses