{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22391", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:40.879Z", "datePublished": "2026-01-22T16:52:35.937Z", "dateUpdated": "2026-04-28T16:54:29.740Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "cocco", "product": "Cocco", "vendor": "Mikado-Themes", "versions": [{"lessThanOrEqual": "1.5.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:15.037Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Cocco cocco allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Cocco: from n/a through <= 1.5.1.</p>"}], "value": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Cocco cocco allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cocco: from n/a through <= 1.5.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:42.753Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/cocco/vulnerability/wordpress-cocco-theme-1-5-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "title": "WordPress Cocco theme <= 1.5.1 - Insecure Direct Object References (IDOR) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T18:38:32.436181Z", "id": "CVE-2026-22391", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:54:29.740Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22391", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T18:38:32.436181Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T18:38:28.724Z"}}], "cna": {"title": "WordPress Cocco theme <= 1.5.1 - Insecure Direct Object References (IDOR) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mikado-Themes", "product": "Cocco", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.5.1"}], "packageName": "cocco", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:15.037Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/cocco/vulnerability/wordpress-cocco-theme-1-5-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Cocco cocco allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cocco: from n/a through <= 1.5.1.", "supportingMedia": [{"type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Cocco cocco allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Cocco: from n/a through <= 1.5.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:01.943Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22391", "state": "PUBLISHED", "dateUpdated": "2026-04-24T18:27:45.535Z", "dateReserved": "2026-01-07T12:21:40.879Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:35.937Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Cocco cocco allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cocco: from n/a through <= 1.5.1."}, {"lang": "es", "value": "Vulnerabilidad de elusi\u00f3n de autorizaci\u00f3n a trav\u00e9s de clave controlada por el usuario en Mikado-Themes Cocco cocco permite explotar niveles de seguridad de control de acceso incorrectamente configurados. Este problema afecta a Cocco: desde n/a hasta &lt;= 1.5.1."}], "id": "CVE-2026-22391", "lastModified": "2026-04-28T19:36:33.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:32.713", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/cocco/vulnerability/wordpress-cocco-theme-1-5-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T07:48:56.563445+00:00", "value": {"mitigation_remediation": ["Upgrade the Cocco theme to the latest available version that fixes the IDOR issue, ideally version 1.5.2 or newer from Mikado\u2011Themes.", "If an upgrade is not immediately possible, remove the theme from active use or restrict access to the relevant resources, such as disabling direct object URL access or implementing additional access controls.", "Audit the theme\u2019s configuration to ensure that user\u2011supplied keys are properly validated and that permission checks align with the intended access level for each resource."], "summary": {"action": "Apply Patch", "impact": "Authorization Bypass via IDOR"}, "threat_synthesis": {"affected_systems": "The issue affects Mikado\u2011Themes Cocco theme version 1.5.1 and earlier, as sold for WordPress. Any WordPress site that has installed the theme within that version range is potentially exposed, regardless of the site's hosting environment. Versions newer than 1.5.1 are considered unaffected if the vendor\u2019s patch correctly addresses the IDOR flaw.", "description_and_impact": "The vulnerability is an authorization bypass through user\u2011controlled keys in the Mikado\u2011Themes Cocco theme. It permits attackers to manipulate request parameters and access or modify resources that should otherwise be restricted, compromising the confidentiality and integrity of content managed by the theme. The weakness is categorized as CWE\u2011639, indicating a problem with access control validation.", "risk_and_exploitability": "The CVSS score of 5.4 denotes moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog, indicating it has not yet been widely exploited. Nevertheless, the IDOR can be triggered by crafting URLs or API calls that reference protected objects. An attacker who can guess or modify identifiers could read or overwrite data, potentially enabling content tampering or unauthorized disclosure. The threat level is particularly relevant for sites that rely heavily on the theme for critical content management."}}}}, "created": "2026-01-23T16:28:37.206996+00:00", "updated": "2026-04-16T08:00:11.185571+00:00", "vendors": ["mikado-themes", "mikado-themes$PRODUCT$cocco", "wordpress", "wordpress$PRODUCT$wordpress"]}