{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40730", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-15T09:19:28.916Z", "datePublished": "2026-04-15T10:21:33.831Z", "dateUpdated": "2026-04-29T09:52:04.755Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "themegrill-demo-importer", "product": "ThemeGrill Demo Importer", "vendor": "ThemeGrill", "versions": [{"changes": [{"at": "2.0.0.7", "status": "unaffected"}], "lessThanOrEqual": "2.0.0.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Steven Julian | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-15T12:20:45.288Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in ThemeGrill ThemeGrill Demo Importer themegrill-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects ThemeGrill Demo Importer: from n/a through <= 2.0.0.6.</p>"}], "value": "Missing Authorization vulnerability in ThemeGrill ThemeGrill Demo Importer themegrill-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ThemeGrill Demo Importer: from n/a through <= 2.0.0.6."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:04.755Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/themegrill-demo-importer/vulnerability/wordpress-themegrill-demo-importer-plugin-2-0-0-6-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress ThemeGrill Demo Importer plugin <= 2.0.0.6 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T15:35:05.429268Z", "id": "CVE-2026-40730", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:27:31.615Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-40730", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T15:35:05.429268Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:32:38.238Z"}}], "cna": {"title": "WordPress ThemeGrill Demo Importer plugin <= 2.0.0.6 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Steven Julian | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "ThemeGrill", "product": "ThemeGrill Demo Importer", "versions": [{"status": "affected", "changes": [{"at": "2.0.0.7", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.0.0.6"}], "packageName": "themegrill-demo-importer", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-15T12:20:45.288Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/themegrill-demo-importer/vulnerability/wordpress-themegrill-demo-importer-plugin-2-0-0-6-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ThemeGrill ThemeGrill Demo Importer themegrill-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ThemeGrill Demo Importer: from n/a through <= 2.0.0.6.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in ThemeGrill ThemeGrill Demo Importer themegrill-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects ThemeGrill Demo Importer: from n/a through <= 2.0.0.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-15T10:21:33.831Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40730", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:27:31.615Z", "dateReserved": "2026-04-15T09:19:28.916Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-15T10:21:33.831Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ThemeGrill ThemeGrill Demo Importer themegrill-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ThemeGrill Demo Importer: from n/a through <= 2.0.0.6."}], "id": "CVE-2026-40730", "lastModified": "2026-04-22T20:23:16.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-15T11:16:35.807", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/themegrill-demo-importer/vulnerability/wordpress-themegrill-demo-importer-plugin-2-0-0-6-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.0.0.6]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[2.0.0.7,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ThemeGrill Demo Importer", "source": "cna", "vendor": "ThemeGrill"}, "product": "themegrill_demo_importer", "vendor": "themegrill"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-22T07:42:38.799670+00:00", "value": {"mitigation_remediation": ["Update ThemeGrill Demo Importer to the latest available version that addresses the access control flaw.", "If an update is not yet available, disable the Demo Importer plugin or remove its import functionality until a patch is released.", "Use a WordPress security plugin or an .htaccess rule to restrict access to the import endpoint so that only users with administrator privileges can invoke it."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access / Privilege Escalation"}, "threat_synthesis": {"affected_systems": "ThemeGrill Demo Importer plugin for WordPress, all versions up to and including 2.0.0.6. The affected software is distributed under the name ThemeGrill Demo Importer; no additional version details beyond the upper bound are provided.", "description_and_impact": "The vulnerability is a missing authorization flaw in the ThemeGrill Demo Importer WordPress plugin that allows an attacker to exploit incorrectly configured access control levels and perform administrative actions within the plugin without proper authentication, potentially exposing sensitive data or enabling further exploitation.", "risk_and_exploitability": "Based on the description, it is inferred that an attacker would target the plugin\u2019s import endpoint by sending a crafted HTTP request directly to the import URL or via a form in the WordPress administrative interface. Because the flaw requires no authentication, it is inferred that any user who can reach the affected site\u2014whether authenticated or not\u2014could trigger the import action and access administrative capabilities. The missing authorization control (CWE-862) represents a high\u2011impact security weakness that can lead to full privilege escalation on the WordPress installation. The EPSS score is <1% and the CVSS score is 5.3, indicating a moderate risk that is currently not widely exploited."}}}}, "created": "2026-04-15T13:44:47.516072+00:00", "updated": "2026-04-22T07:45:11.741413+00:00", "vendors": ["themegrill", "themegrill$PRODUCT$themegrill_demo_importer", "wordpress", "wordpress$PRODUCT$wordpress"]}