{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25393", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:07.232Z", "datePublished": "2026-02-19T08:27:03.097Z", "dateUpdated": "2026-04-28T16:14:57.665Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "hello-fse", "product": "Hello FSE", "vendor": "sparklewpthemes", "versions": [{"lessThanOrEqual": "1.0.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "0xd4rk5id3 | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:08.289Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in sparklewpthemes Hello FSE hello-fse allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Hello FSE: from n/a through <= 1.0.6.</p>"}], "value": "Missing Authorization vulnerability in sparklewpthemes Hello FSE hello-fse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hello FSE: from n/a through <= 1.0.6."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:57.665Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/hello-fse/vulnerability/wordpress-hello-fse-theme-1-0-6-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Hello FSE theme <= 1.0.6 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T19:19:41.245204Z", "id": "CVE-2026-25393", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:12:28.036Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25393", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:07.232Z", "datePublished": "2026-02-19T08:27:03.097Z", "dateUpdated": "2026-04-28T13:12:28.036Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "hello-fse", "product": "Hello FSE", "vendor": "sparklewpthemes", "versions": [{"lessThanOrEqual": "1.0.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "0xd4rk5id3 | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:46.772Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in sparklewpthemes Hello FSE hello-fse allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Hello FSE: from n/a through <= 1.0.6.</p>"}], "value": "Missing Authorization vulnerability in sparklewpthemes Hello FSE hello-fse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hello FSE: from n/a through <= 1.0.6."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:49.694Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/hello-fse/vulnerability/wordpress-hello-fse-theme-1-0-6-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Hello FSE theme <= 1.0.6 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25393", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T19:19:41.245204Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T19:19:03.435Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in sparklewpthemes Hello FSE hello-fse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hello FSE: from n/a through <= 1.0.6."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en sparklewpthemes Hello FSE hello-fse permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Hello FSE: desde n/a hasta &lt;= 1.0.6."}], "id": "CVE-2026-25393", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:21.510", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/hello-fse/vulnerability/wordpress-hello-fse-theme-1-0-6-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Hello FSE", "source": "cna", "vendor": "sparklewpthemes"}, "product": "hello_fse", "vendor": "sparklewpthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T18:11:16.233091+00:00", "value": {"mitigation_remediation": ["Upgrade the Hello FSE theme to the latest available version, ensuring it is newer than 1.0.6, and verify the update against the vendor's release notes and checksum.", "If no newer version is available, uninstall or disable the Hello FSE theme entirely to eliminate the vulnerable code.", "Restrict access to theme configuration URLs so that only administrators can reach them, implementing role-based permissions or a suitable plugin; verify that no custom code overrides the default access checks."], "summary": {"action": "Update Theme", "impact": "Improper Access Control"}, "threat_synthesis": {"affected_systems": "WordPress sites utilizing the SparkleWPThemes Hello FSE theme version 1.0.6 or earlier are affected. No specific WordPress core version is listed, but the issue applies to any deployment where the Hello FSE theme is active and the default access controls are in place.", "description_and_impact": "The vulnerability in the Hello FSE theme allows an attacker to bypass authorization checks and access theme configuration or content that should be restricted. This could enable unauthorized users to view, modify or delete theme settings, potentially affecting site integrity and confidentiality. The weakness is identified as CWE-862, indicating missing or incorrect inventory of who is allowed to perform certain operations.", "risk_and_exploitability": "The CVSS score of 4.3 denotes moderate risk, while the EPSS score of less than 1% indicates a low likelihood of exploitation at any given time. The vulnerability is not in the CISA KEV catalog, which further suggests limited evidence of widespread exploitation. Based on the description, it is inferred that attackers would need to target sites where the Hello FSE theme is installed and may exploit the broken access checks via normal user interaction or possibly through automated discovery of sensitive theme URLs. No remote code execution or privilege escalation is reported, so the primary threat is unauthorized access to theme configuration and possibly sensitive content."}}}}, "created": "2026-02-20T10:08:32.543889+00:00", "updated": "2026-04-17T18:15:26.779439+00:00", "vendors": ["sparklewpthemes", "sparklewpthemes$PRODUCT$hello_fse", "wordpress", "wordpress$PRODUCT$wordpress"]}