{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39624", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:36.650Z", "datePublished": "2026-04-08T08:30:27.029Z", "dateUpdated": "2026-04-08T08:30:27.029Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "biolife", "product": "Biolife", "vendor": "kutethemes", "versions": [{"lessThanOrEqual": "3.2.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:38.915Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in kutethemes Biolife biolife allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Biolife: from n/a through <= 3.2.3.</p>"}], "value": "Missing Authorization vulnerability in kutethemes Biolife biolife allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Biolife: from n/a through <= 3.2.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:27.029Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/biolife/vulnerability/wordpress-biolife-theme-3-2-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "title": "WordPress Biolife theme <= 3.2.3 - Arbitrary Shortcode Execution vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in kutethemes Biolife biolife allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Biolife: from n/a through <= 3.2.3."}], "id": "CVE-2026-39624", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:32.673", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/biolife/vulnerability/wordpress-biolife-theme-3-2-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.2.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Biolife", "source": "cna", "vendor": "kutethemes"}, "product": "biolife", "vendor": "kutethemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:38:28.109017+00:00", "value": {"mitigation_remediation": ["Upgrade the Biolife theme to a version newer than 3.2.3.", "If an upgrade is not immediately possible, disable the execution of shortcodes on the site or restrict shortcode usage to trusted users via a restriction plugin.", "Ensure that role\u2011based access controls are correctly configured so that only authorized administrators can edit content that includes shortcodes.", "Monitor site logs for unexpected shortcode usage or error messages that could indicate exploitation attempts.", "Check the theme developer\u2019s website or support channels for additional security advisories or temporary fixes."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Shortcode Execution"}, "threat_synthesis": {"affected_systems": "The affected product is the Biolife WordPress theme from kutethemes. All releases from the initial version through 3.2.3 are susceptible. Users running any of these versions on a WordPress installation are at risk, regardless of site size or audience.", "description_and_impact": "The vulnerability in the kutethemes Biolife theme arises from missing authorization controls that allow attackers to exploit incorrectly configured access levels. This flaw enables the execution of arbitrary WordPress shortcodes, which can be leveraged to insert malicious code or content into a site\u2019s output. The weakness is identified as a missing access control (CWE\u2011862). In effect, an attacker can potentially run any shortcode they supply, leading to unauthorized code execution and significant compromise of content and site integrity.", "risk_and_exploitability": "Given the lack of publicly available CVSS and EPSS scores, the risk can be inferred to be high, as the flaw permits code execution without authentication. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed exploitation yet, but the potential impact remains severe. The likely attack vector involves an adversary gaining the ability to inject or modify shortcodes via the theme\u2019s interfaces or by manipulating input that triggers shortcode processing. Exploitation requires no special privileges and can be performed by anyone with access to the sites using the vulnerable theme."}}}}, "created": "2026-04-08T19:29:35.242446+00:00", "updated": "2026-04-08T19:41:51.611891+00:00", "vendors": ["kutethemes", "kutethemes$PRODUCT$biolife", "wordpress", "wordpress$PRODUCT$wordpress"]}