{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23974", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-19T16:14:52.937Z", "datePublished": "2026-01-22T16:52:42.305Z", "dateUpdated": "2026-04-28T16:14:47.515Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "golo", "product": "Golo", "vendor": "uxper", "versions": [{"changes": [{"at": "1.7.5", "status": "unaffected"}], "lessThanOrEqual": "1.7.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:11.965Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in uxper Golo golo allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Golo: from n/a through < 1.7.5.</p>"}], "value": "Missing Authorization vulnerability in uxper Golo golo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Golo: from n/a through < 1.7.5."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:47.515Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-5-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Golo theme < 1.7.5 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T16:49:08.464120Z", "id": "CVE-2026-23974", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:48:18.870Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23974", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-23T16:49:08.464120Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T16:49:11.231Z"}}], "cna": {"title": "WordPress Golo theme < 1.7.5 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "uxper", "product": "Golo", "versions": [{"status": "affected", "changes": [{"at": "1.7.5", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.7.5"}], "packageName": "golo", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:11.965Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-5-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in uxper Golo golo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Golo: from n/a through < 1.7.5.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in uxper Golo golo allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Golo: from n/a through < 1.7.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:04.006Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23974", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:48:18.870Z", "dateReserved": "2026-01-19T16:14:52.937Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:42.305Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in uxper Golo golo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Golo: from n/a through < 1.7.5."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en uxper Golo golo permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Golo: desde n/a hasta &lt; 1.7.5."}], "id": "CVE-2026-23974", "lastModified": "2026-04-28T16:16:07.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:38.090", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-5-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:02:28.047342+00:00", "value": {"mitigation_remediation": ["Immediately upgrade the Golo theme to the fixed version 1.7.5 or newer.", "Verify that theme option pages and data manipulation controls are only accessible to administrators or users with explicit permission.", "Conduct a quick review of custom user roles and capabilities, ensuring no elevated privileges allow theme configuration beyond the intended scope."], "summary": {"action": "Apply Patch", "impact": "Broken Access Control leading to unauthorized privileged actions"}, "threat_synthesis": {"affected_systems": "The Golo theme (uxper:Golo) is vulnerable in all releases earlier than version 1.7.5. WordPress sites that have installed any version of this theme from the first release through 1.7.4 are affected. No specific operating system or PHP version is mentioned in the CVE record, so any environment running WordPress with that theme may be impacted.", "description_and_impact": "The vulnerability in the uxper Golo theme is a missing\u2011authorization flaw that can be leveraged to bypass intended security controls. An attacker who can interact with the theme\u2019s administrative features can perform actions normally reserved for privileged users, such as editing or deleting theme data, without proper authentication. This shortfall aligns with CWE\u2011862, indicating that user decisions are not correctly validated and authenticated.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity, and the EPSS score of less than 1 percent suggests that active exploitation of this issue is currently uncommon. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, implying that no widespread, publicly disclosed attacks have been reported. Given that the flaw involves access control in a browser\u2011based CMS component, it is likely to be exploitable over the network by any user who can reach the WordPress administrative interface; this inference is based on the nature of the flaw, though the CVE does not explicitly state the attack vector."}}}}, "created": "2026-01-23T16:27:36.517679+00:00", "updated": "2026-04-28T18:15:37.352972+00:00", "vendors": ["uxper", "uxper$PRODUCT$golo", "wordpress", "wordpress$PRODUCT$wordpress"]}