{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22409", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:56.449Z", "datePublished": "2026-01-22T16:52:38.126Z", "dateUpdated": "2026-04-28T17:06:41.310Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "justicia", "product": "Justicia", "vendor": "Mikado-Themes", "versions": [{"lessThanOrEqual": "1.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:13.007Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Justicia justicia allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Justicia: from n/a through <= 1.2.</p>"}], "value": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Justicia justicia allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Justicia: from n/a through <= 1.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:43.466Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/justicia/vulnerability/wordpress-justicia-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "title": "WordPress Justicia theme <= 1.2 - Insecure Direct Object References (IDOR) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T18:36:37.886190Z", "id": "CVE-2026-22409", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:06:41.310Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22409", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:56.449Z", "datePublished": "2026-01-22T16:52:38.126Z", "dateUpdated": "2026-04-28T17:06:41.310Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "justicia", "product": "Justicia", "vendor": "Mikado-Themes", "versions": [{"lessThanOrEqual": "1.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:13.007Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Justicia justicia allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Justicia: from n/a through <= 1.2.</p>"}], "value": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Justicia justicia allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Justicia: from n/a through <= 1.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:43.466Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/justicia/vulnerability/wordpress-justicia-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "title": "WordPress Justicia theme <= 1.2 - Insecure Direct Object References (IDOR) vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22409", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T18:36:37.886190Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T18:36:34.166Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Justicia justicia allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Justicia: from n/a through <= 1.2."}, {"lang": "es", "value": "Vulnerabilidad de omisi\u00f3n de autorizaci\u00f3n a trav\u00e9s de clave controlada por el usuario en Mikado-Themes Justicia justicia permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Justicia: desde n/d hasta &lt;= 1.2."}], "id": "CVE-2026-22409", "lastModified": "2026-04-28T19:36:35.363", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:33.917", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/justicia/vulnerability/wordpress-justicia-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T07:46:30.959392+00:00", "value": {"mitigation_remediation": ["Upgrade the Mikado-Themes Justicia WordPress theme to a version newer than 1.2 or apply the vendor patch that addresses the IDOR flaw.", "Validate and restrict all user-controlled keys used by the theme against an approved whitelist and enforce strict access control checks for every request.", "Configure WordPress role capabilities and content permissions to limit which users can view or modify restricted content, removing unnecessary permissions for non-admin roles."], "summary": {"action": "Immediate Patch", "impact": "Authorization bypass leading to unauthorized data access"}, "threat_synthesis": {"affected_systems": "The affected product is the Mikado-Themes Justicia WordPress theme, versions from the earliest release through 1.2. Any WordPress installation that uses this theme may be at risk.", "description_and_impact": "This vulnerability is an Authorization Bypass Through User-Controlled Key (CWE-639) in the Mikado-Themes Justicia WordPress theme, available up to version 1.2. It permits an attacker to exploit incorrectly configured access control security levels to read or modify restricted content or data. The primary impact is the compromise of confidentiality and integrity of site data, potentially enabling privilege escalation.", "risk_and_exploitability": "The CVSS v3.1 base score of 5.4 indicates moderate severity, with a low exploit probability of less than 1% per the EPSS metric and no listing in the CISA KEV catalog. The likely attack vector is a web-based request manipulation of user-controlled keys, allowing attackers to access restricted objects without proper authorization checks."}}}}, "created": "2026-01-23T16:27:43.686105+00:00", "updated": "2026-04-16T08:00:11.177318+00:00", "vendors": ["mikado-themes", "mikado-themes$PRODUCT$justicia", "wordpress", "wordpress$PRODUCT$wordpress"]}