{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25459", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:53.793Z", "datePublished": "2026-02-19T08:27:08.568Z", "dateUpdated": "2026-04-28T16:14:59.340Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "sober", "product": "Sober", "vendor": "uixthemes", "versions": [{"lessThanOrEqual": "3.5.12", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Rafie Muhammad | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:10.675Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in uixthemes Sober sober allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Sober: from n/a through <= 3.5.12.</p>"}], "value": "Missing Authorization vulnerability in uixthemes Sober sober allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sober: from n/a through <= 3.5.12."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:59.340Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/sober/vulnerability/wordpress-sober-theme-3-5-12-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Sober theme <= 3.5.12 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T18:22:32.298283Z", "id": "CVE-2026-25459", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:58:27.978Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25459", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T18:22:32.298283Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T18:21:22.505Z"}}], "cna": {"title": "WordPress Sober theme <= 3.5.12 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Rafie Muhammad | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "uixthemes", "product": "Sober", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.5.12"}], "packageName": "sober", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:54.779Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/sober/vulnerability/wordpress-sober-theme-3-5-12-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in uixthemes Sober sober allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sober: from n/a through <= 3.5.12.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in uixthemes Sober sober allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Sober: from n/a through <= 3.5.12.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:50.228Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25459", "state": "PUBLISHED", "dateUpdated": "2026-04-28T13:58:27.978Z", "dateReserved": "2026-02-02T12:53:53.793Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:27:08.568Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in uixthemes Sober sober allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sober: from n/a through <= 3.5.12."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en uixthemes Sober sober permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Sober: desde n/a hasta &lt;= 3.5.12."}], "id": "CVE-2026-25459", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:24.860", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/sober/vulnerability/wordpress-sober-theme-3-5-12-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.5.12]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Sober", "source": "cna", "vendor": "uixthemes"}, "product": "sober", "vendor": "uixthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:11:06.623703+00:00", "value": {"mitigation_remediation": ["Upgrade the Sober theme to a version newer than 3.5.12 once the vendor releases an official patch.", "Verify that all administrative pages are protected by authentication and that only authorized users can access them.", "Confirm that role\u2011based access controls enforce correct capabilities and restrict theme\u2011specific privileges to trusted users only."], "summary": {"action": "Apply Patch", "impact": "Broken Access Control that permits unauthorized actions"}, "threat_synthesis": {"affected_systems": "The weakness affects the WordPress Sober theme built by uixthemes for all installations from any unreleased version through version 3.5.12. Any WordPress website that has not migrated to a newer, unpatched theme version is susceptible.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows exploitation of incorrectly configured access control levels. Attackers can bypass standard permission checks to gain unauthorized access to protected actions via the WordPress Sober theme. This flaw may enable the execution of privileged operations, potentially compromising the integrity and confidentiality of site data.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while an EPSS score below 1% signals a very low probability of real\u2011world exploitation. Because the flaw is not listed in the KEV catalog, no confirmed public exploit is known. The likely attack vector is via the web interface of the affected theme, requiring authenticated access or presence of a vulnerable configuration. The overall risk remains low due to the limited exploitation likelihood but can be significant if the attacker achieves elevated privileges."}}}}, "created": "2026-02-20T10:08:11.922249+00:00", "updated": "2026-04-16T00:15:18.640490+00:00", "vendors": ["uixthemes", "uixthemes$PRODUCT$sober", "wordpress", "wordpress$PRODUCT$wordpress"]}