{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39627", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:36.651Z", "datePublished": "2026-04-08T08:30:27.618Z", "dateUpdated": "2026-04-09T20:25:43.485Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ashe", "product": "Ashe", "vendor": "wproyal", "versions": [{"lessThanOrEqual": "2.266", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:33.648Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in wproyal Ashe ashe allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Ashe: from n/a through <= 2.266.</p>"}], "value": "Missing Authorization vulnerability in wproyal Ashe ashe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe: from n/a through <= 2.266."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:27.618Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/ashe/vulnerability/wordpress-ashe-theme-2-266-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Ashe theme <= 2.266 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T18:56:50.974269Z", "id": "CVE-2026-39627", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T20:25:43.485Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in wproyal Ashe ashe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe: from n/a through <= 2.266."}], "id": "CVE-2026-39627", "lastModified": "2026-04-09T21:16:11.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:33.080", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/ashe/vulnerability/wordpress-ashe-theme-2-266-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.266]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Ashe", "source": "cna", "vendor": "wproyal"}, "product": "ashe", "vendor": "wproyal"}], "analysis": {"en": {"generated_at": "2026-04-09T22:55:23.004959+00:00", "value": {"mitigation_remediation": ["Update the Ashe theme to the latest available version (2.267 or newer).", "If an update is not feasible, disable or remove the Ashe theme from the installation.", "Ensure that the WordPress core, all plugins, and other themes are kept current to reduce exposure to similar weaknesses.", "Monitor administrative logs for unexpected changes or access attempts that may indicate exploitation attempts."], "summary": {"action": "Update Theme", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the wproyal Ashe theme in any installation running version 2.266 or earlier. No specific patch versions are listed beyond 2.266, so sites using any version up to that threshold are considered vulnerable.", "description_and_impact": "The Ashe WordPress theme, up to version 2.266, contains a missing authorization vulnerability that allows attackers to bypass incorrectly configured access control security levels. This flaw enables unauthorized users to perform privileged actions normally reserved for authenticated administrators, leading to potential data exposure or modification. The weakness is identified as CWE\u2011862, where authorization checks fail to restrict access to protected resources.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a low severity level, and the EPSS score below 1% suggests a very low probability of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. While the report does not specify a precise attack vector, it is inferred that an attacker would need access to the WordPress administration interface to manipulate the theme\u2019s settings and exploit the broken access control. No public exploits have been reported, and the risk primarily applies to sites that have not updated the Ashe theme beyond version 2.266."}}}}, "created": "2026-04-08T19:29:32.055038+00:00", "updated": "2026-04-10T09:40:54.543292+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wproyal", "wproyal$PRODUCT$ashe"]}