{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25336", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:37.307Z", "datePublished": "2026-02-19T08:26:57.889Z", "dateUpdated": "2026-04-28T16:14:55.697Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "coachify", "product": "Coachify", "vendor": "wpcoachify", "versions": [{"changes": [{"at": "1.1.6", "status": "unaffected"}], "lessThanOrEqual": "1.1.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:05.694Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in wpcoachify Coachify coachify allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Coachify: from n/a through <= 1.1.5.</p>"}], "value": "Missing Authorization vulnerability in wpcoachify Coachify coachify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Coachify: from n/a through <= 1.1.5."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:55.697Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/coachify/vulnerability/wordpress-coachify-theme-1-1-5-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Coachify theme <= 1.1.5 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:18:18.333791Z", "id": "CVE-2026-25336", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:05:07.013Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25336", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:37.307Z", "datePublished": "2026-02-19T08:26:57.889Z", "dateUpdated": "2026-04-28T13:05:07.013Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "coachify", "product": "Coachify", "vendor": "wpcoachify", "versions": [{"changes": [{"at": "1.1.6", "status": "unaffected"}], "lessThanOrEqual": "1.1.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:40.993Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in wpcoachify Coachify coachify allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Coachify: from n/a through <= 1.1.5.</p>"}], "value": "Missing Authorization vulnerability in wpcoachify Coachify coachify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Coachify: from n/a through <= 1.1.5."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:49.368Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/coachify/vulnerability/wordpress-coachify-theme-1-1-5-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Coachify theme <= 1.1.5 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25336", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T21:18:18.333791Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:18:08.332Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in wpcoachify Coachify coachify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Coachify: from n/a through <= 1.1.5."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en wpcoachify Coachify coachify permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Coachify: desde n/a hasta &lt;= 1.1.5."}], "id": "CVE-2026-25336", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:18.320", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/coachify/vulnerability/wordpress-coachify-theme-1-1-5-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.5]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "1.1.6"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Coachify", "source": "cna", "vendor": "wpcoachify"}, "product": "coachify", "vendor": "wpcoachify"}], "analysis": {"en": {"generated_at": "2026-04-16T16:58:07.371908+00:00", "value": {"mitigation_remediation": ["Upgrade the Coachify theme to a version newer than 1.1.5 or apply any vendor\u2011supplied patch that addresses the missing authorization check.", "If an upgrade is not immediately possible, restrict access to the theme\u2019s administrative features by assigning appropriate WordPress capabilities or removing those capabilities from all non\u2011administrator roles.", "Review the WordPress role capabilities and remove or audit any permissions that the theme grants to roles that should not have them, ensuring that only administrators can invoke the controlled functions."], "summary": {"action": "Patch Now", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "WordPress installations that utilize the Coachify theme from wpcoachify, with versions up to and including 1.1.5. Any deployment that has not applied a newer release or an available vendor patch is susceptible.", "description_and_impact": "The Coachify theme contains a missing authorization flaw that allows attackers to bypass its intended access controls. By exploiting incorrectly configured security levels, a user can invoke administrative or protected functions without proper permission checks. This flaw can lead to unauthorized access to data or functionality that should be restricted, potentially exposing sensitive information or allowing further compromise of the WordPress site.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates medium severity, while the EPSS score of less than 1% suggests that exploitation is presently uncommon. The vulnerability is not listed in CISA\u2019s KEV catalog, and no public exploits are known at this time. The likely attack vector is remote over the web, where an unauthenticated or low\u2011privileged user can interact with the theme\u2019s functions without encountering proper permission checks. Based on the description, it is inferred that the flaw could be leveraged from a web browser or via automated HTTP requests to the site\u2019s front\u2011end or admin endpoints."}}}}, "created": "2026-02-20T10:08:52.078291+00:00", "updated": "2026-04-16T17:00:09.394689+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpcoachify", "wpcoachify$PRODUCT$coachify"]}