{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31915", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-10T10:59:45.899Z", "datePublished": "2026-03-13T11:41:53.239Z", "dateUpdated": "2026-04-29T09:51:57.665Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "flatsome", "product": "Flatsome", "vendor": "UX-themes", "versions": [{"changes": [{"at": "3.19.7", "status": "unaffected"}], "lessThanOrEqual": "3.19.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ananda Dhakal (Patchstack)"}], "datePublic": "2026-04-01T16:04:37.635Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in UX-themes Flatsome flatsome allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Flatsome: from n/a through <= 3.19.6.</p>"}], "value": "Missing Authorization vulnerability in UX-themes Flatsome flatsome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flatsome: from n/a through <= 3.19.6."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.665Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/flatsome/vulnerability/wordpress-flatsome-theme-3-19-6-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Flatsome theme <= 3.19.6 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T15:23:49.186583Z", "id": "CVE-2026-31915", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T15:24:08.859Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31915", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T15:23:49.186583Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T15:22:45.625Z"}}], "cna": {"title": "WordPress Flatsome theme <= 3.19.6 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Ananda Dhakal (Patchstack)"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "UX-themes", "product": "Flatsome", "versions": [{"status": "affected", "changes": [{"at": "3.19.7", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.19.6"}], "packageName": "flatsome", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T15:38:36.039Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/flatsome/vulnerability/wordpress-flatsome-theme-3-19-6-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in UX-themes Flatsome flatsome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flatsome: from n/a through <= 3.19.6.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in UX-themes Flatsome flatsome allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Flatsome: from n/a through <= 3.19.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T13:38:43.645Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31915", "state": "PUBLISHED", "dateUpdated": "2026-04-01T13:38:43.645Z", "dateReserved": "2026-03-10T10:59:45.899Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:41:53.239Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in UX-themes Flatsome flatsome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flatsome: from n/a through <= 3.19.6."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en UX-themes Flatsome flatsome permite Explotar Niveles de Seguridad de Control de Acceso Configurados Incorrectamente. Este problema afecta a Flatsome: desde n/a hasta &lt;= 3.19.6."}], "id": "CVE-2026-31915", "lastModified": "2026-04-29T10:16:56.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:54:38.410", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/flatsome/vulnerability/wordpress-flatsome-theme-3-19-6-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.19.6]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "3.19.7"}}], "enrichment": {"confidence": 97.0, "confidence_source": "matching", "scores": [{"score": 97.0, "source": "matching"}]}, "original": {"product": "Flatsome", "source": "cna", "vendor": "UX-themes"}, "product": "flatsome", "vendor": "uxthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T15:24:53.817144+00:00", "value": {"mitigation_remediation": ["Update the Flatsome theme to version 3.19.7 or later.", "If an immediate upgrade is not possible, restrict Web access to the theme\u2019s administrative area using file permissions or web\u2011server access controls (e.g., .htaccess rules, Nginx restrictions).", "Monitor site logs for anomalous access attempts to theme files or administrative functions and review user roles regularly."], "summary": {"action": "Patch Now", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "UX\u2011themes:Flatsome are affected. All versions from n/a through 3.19.6 inclusive are vulnerable. Any site running Flatsome 3.19.6 or earlier is susceptible.", "description_and_impact": "The vulnerability is a Missing Authorization flaw in the UX\u2011themes Flatsome WordPress theme. It allows attackers to exploit incorrectly configured access control security levels, bypassing intended restrictions. This can enable unauthorized access to administrative functions or sensitive site data. The weakness is categorized as CWE\u2011862, indicating Broken Access Control.", "risk_and_exploitability": "The CVSS score of 5.3 signals a moderate severity. The EPSS score is reported as less than 1%, suggesting low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would most likely need web access to the WordPress site\u2019s administrative interface, and possibly a user account with elevated privileges, to exploit the broken access control. The attack vector is inferred to be remote (web\u2011based), as the exploit involves interacting with the theme\u2019s configuration via the site\u2019s front\u2011end or admin backend."}}}}, "created": "2026-03-16T09:37:44.587782+00:00", "updated": "2026-03-23T09:59:30.534425+00:00", "vendors": ["uxthemes", "uxthemes$PRODUCT$flatsome", "wordpress", "wordpress$PRODUCT$wordpress"]}