{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25374", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:01.428Z", "datePublished": "2026-02-19T08:27:00.661Z", "dateUpdated": "2026-04-28T16:14:56.976Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "spa-and-salon", "product": "Spa and Salon", "vendor": "raratheme", "versions": [{"changes": [{"at": "1.3.3", "status": "unaffected"}], "lessThanOrEqual": "1.3.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:04.942Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in raratheme Spa and Salon spa-and-salon allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Spa and Salon: from n/a through <= 1.3.2.</p>"}], "value": "Missing Authorization vulnerability in raratheme Spa and Salon spa-and-salon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spa and Salon: from n/a through <= 1.3.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:56.976Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/spa-and-salon/vulnerability/wordpress-spa-and-salon-theme-1-3-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Spa and Salon theme <= 1.3.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T20:35:37.696001Z", "id": "CVE-2026-25374", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:08:16.924Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25374", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:01.428Z", "datePublished": "2026-02-19T08:27:00.661Z", "dateUpdated": "2026-04-28T13:08:16.924Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "spa-and-salon", "product": "Spa and Salon", "vendor": "raratheme", "versions": [{"changes": [{"at": "1.3.3", "status": "unaffected"}], "lessThanOrEqual": "1.3.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:45.088Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in raratheme Spa and Salon spa-and-salon allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Spa and Salon: from n/a through <= 1.3.2.</p>"}], "value": "Missing Authorization vulnerability in raratheme Spa and Salon spa-and-salon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spa and Salon: from n/a through <= 1.3.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:49.583Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/spa-and-salon/vulnerability/wordpress-spa-and-salon-theme-1-3-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Spa and Salon theme <= 1.3.2 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25374", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T20:35:37.696001Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T20:36:28.951Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in raratheme Spa and Salon spa-and-salon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spa and Salon: from n/a through <= 1.3.2."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n Faltante en raratheme Spa y Salon spa-and-salon permite Explotar Niveles de Seguridad de Control de Acceso Incorrectamente Configurados. Este problema afecta a Spa and Salon: desde n/a hasta &lt;= 1.3.2."}], "id": "CVE-2026-25374", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:19.983", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/spa-and-salon/vulnerability/wordpress-spa-and-salon-theme-1-3-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.2]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.3.3,*]"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "Spa and Salon", "source": "cna", "vendor": "raratheme"}, "product": "spa_and_salon", "vendor": "rarathemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:23:23.481893+00:00", "value": {"mitigation_remediation": ["Update the Spa and Salon theme to the latest available version (1.3.3 or later).", "Restrict file system permissions on the theme\u2019s directories to read\u2011only to prevent unauthorized writes.", "Review and tighten WordPress user roles and capabilities, ensuring only trusted accounts have full administrative privileges."], "summary": {"action": "Patch Theme", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "All WordPress sites that use raratheme\u2019s Spa and Salon theme up to and including version 1.3.2 are vulnerable. The theme, developed by Raratheme, is commonly deployed in spa, salon, and beauty\u2011related websites.", "description_and_impact": "Missing authorization in the raratheme Spa and Salon WordPress theme permits attackers to bypass access controls, potentially allowing the reading, creation, or modification of content, settings, or files that should be protected. The flaw arises from incorrectly configured security levels, enabling privilege escalation within the site and leading to possible data exposure, unauthorized changes, or further compromise.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score is below 1%, reflecting a low likelihood of exploitation at this time. The vulnerability is not listed in CISA\u2019s KEV catalog. While the official documentation does not specify an attack vector, it is inferred that attackers could exploit the missing authorization via the website\u2019s front\u2011end or back\u2011end interfaces where the theme\u2019s permission checks are insufficient. The actual risk depends on how tightly the site\u2019s user roles and file permissions are configured."}}}}, "created": "2026-02-20T10:08:42.265781+00:00", "updated": "2026-04-16T00:30:18.859752+00:00", "vendors": ["rarathemes", "rarathemes$PRODUCT$spa_and_salon", "wordpress", "wordpress$PRODUCT$wordpress"]}