{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39622", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:27.974Z", "datePublished": "2026-04-08T08:30:26.564Z", "dateUpdated": "2026-04-08T08:30:26.564Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "education-base", "product": "Education Base", "vendor": "acmethemes", "versions": [{"lessThanOrEqual": "3.0.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:38.545Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in acmethemes Education Base education-base allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Education Base: from n/a through <= 3.0.8.</p>"}], "value": "Missing Authorization vulnerability in acmethemes Education Base education-base allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Education Base: from n/a through <= 3.0.8."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:26.564Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/education-base/vulnerability/wordpress-education-base-theme-3-0-8-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Education Base theme <= 3.0.8 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in acmethemes Education Base education-base allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Education Base: from n/a through <= 3.0.8."}], "id": "CVE-2026-39622", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:32.410", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/education-base/vulnerability/wordpress-education-base-theme-3-0-8-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.0.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Education Base", "source": "cna", "vendor": "acmethemes"}, "product": "education_base", "vendor": "acmethemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:48:12.987143+00:00", "value": {"mitigation_remediation": ["Upgrade the Education Base theme to any version newer than 3.0.8.", "Verify that the upgrade is successful and that all access controls behave as intended.", "If an upgrade cannot be applied, replace the theme with a secure alternative or remove it entirely."], "summary": {"action": "Patch Immediate", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the acmethemes Education Base theme version 3.0.8 or earlier are vulnerable. All sites deploying any of these versions are at risk until the theme is updated or replaced.", "description_and_impact": "The vulnerability is a missing authorization flaw in the acmethemes Education Base WordPress theme that allows attackers to bypass intended access controls. This lacks proper authorization checks and corresponds to CWE\u2011862, enabling unauthorized reading, modification, or deletion of theme\u2011related content and compromising a site\u2019s confidentiality and integrity.", "risk_and_exploitability": "Based on the description, it is inferred that the attack vector is remote through publicly accessible WordPress URLs that invoke theme functions lacking proper authentication. The CVSS score and EPSS are not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. Despite the absence of explicit metrics, the possibility of unauthenticated exploitation of privileged operations indicates a high risk. Attackers would require minimal effort to discover affected endpoints; however, no public exploits or detailed exploitation instructions have been disclosed."}}}}, "created": "2026-04-08T19:29:37.356277+00:00", "updated": "2026-04-08T19:41:54.098031+00:00", "vendors": ["acmethemes", "acmethemes$PRODUCT$education_base", "wordpress", "wordpress$PRODUCT$wordpress"]}