{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22426", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:22:06.512Z", "datePublished": "2026-01-22T16:52:38.525Z", "dateUpdated": "2026-04-28T17:09:10.045Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "sweetjane", "product": "Sweet Jane", "vendor": "Elated-Themes", "versions": [{"lessThanOrEqual": "1.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:12.191Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Sweet Jane: from n/a through <= 1.2.</p>"}], "value": "Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sweet Jane: from n/a through <= 1.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:43.812Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/sweetjane/vulnerability/wordpress-sweet-jane-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "title": "WordPress Sweet Jane theme <= 1.2 - Insecure Direct Object References (IDOR) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T20:43:56.315322Z", "id": "CVE-2026-22426", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:09:10.045Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22426", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:22:06.512Z", "datePublished": "2026-01-22T16:52:38.525Z", "dateUpdated": "2026-04-28T17:09:10.045Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "sweetjane", "product": "Sweet Jane", "vendor": "Elated-Themes", "versions": [{"lessThanOrEqual": "1.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:12.191Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Sweet Jane: from n/a through <= 1.2.</p>"}], "value": "Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sweet Jane: from n/a through <= 1.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:43.812Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/sweetjane/vulnerability/wordpress-sweet-jane-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "title": "WordPress Sweet Jane theme <= 1.2 - Insecure Direct Object References (IDOR) vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22426", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T20:43:56.315322Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T20:45:30.988Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sweet Jane: from n/a through <= 1.2."}, {"lang": "es", "value": "Vulnerabilidad de omisi\u00f3n de autorizaci\u00f3n a trav\u00e9s de clave controlada por el usuario en Elated-Themes Sweet Jane sweetjane permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Sweet Jane: desde n/a hasta &lt;= 1.2."}], "id": "CVE-2026-22426", "lastModified": "2026-04-28T19:36:36.707", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:34.153", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/sweetjane/vulnerability/wordpress-sweet-jane-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T17:56:15.371884+00:00", "value": {"mitigation_remediation": ["Upgrade the Sweet Jane theme to the latest release, which contains the security fix for the IDOR issue.", "Ensure WordPress role\u2011based access controls are configured so that only authorized users can reference the hierarchical objects exposed by the theme.", "If an immediate update is not possible, block or sanitize the specific URL patterns or query parameters used by the theme to expose objects, preventing direct object reference exploitation."], "summary": {"action": "Update Theme", "impact": "Unauthorized Data Access"}, "threat_synthesis": {"affected_systems": "The flaw affects the Sweet Jane WordPress theme from the earliest available build through version\u202f1.2. All installations of Sweet Jane up to and including 1.2 are vulnerable when deployed on a WordPress site without additional layer of access restriction.", "description_and_impact": "Elated-Themes Sweet Jane contains an Authorization Bypass Through User\u2011Controlled Key flaw that enables an attacker to bypass proper access control checks. This IDOR vulnerability may allow the attacker to retrieve or modify protected content that should not be reachable by their user level, compromising confidentiality and integrity of pages or media managed by the theme. The weakness is classified as CWE\u2011639.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote web request that manipulates a user\u2011controlled key or URL parameter to access protected resources."}}}}, "created": "2026-01-23T16:27:59.725222+00:00", "updated": "2026-04-16T18:00:11.171689+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}