{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39627", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:36.651Z", "datePublished": "2026-04-08T08:30:27.618Z", "dateUpdated": "2026-04-08T08:30:27.618Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ashe", "product": "Ashe", "vendor": "wproyal", "versions": [{"lessThanOrEqual": "2.266", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:33.648Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in wproyal Ashe ashe allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Ashe: from n/a through <= 2.266.</p>"}], "value": "Missing Authorization vulnerability in wproyal Ashe ashe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe: from n/a through <= 2.266."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:27.618Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/ashe/vulnerability/wordpress-ashe-theme-2-266-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Ashe theme <= 2.266 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in wproyal Ashe ashe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe: from n/a through <= 2.266."}], "id": "CVE-2026-39627", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:33.080", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/ashe/vulnerability/wordpress-ashe-theme-2-266-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.266]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Ashe", "source": "cna", "vendor": "wproyal"}, "product": "ashe", "vendor": "wproyal"}], "analysis": {"en": {"generated_at": "2026-04-08T09:36:42.502769+00:00", "value": {"mitigation_remediation": ["Update the Ashe theme to a version newer than 2.266 to eliminate the flaw. ", "Verify that the update contains the security fix by reviewing the change log or vendor announcement. ", "If an immediate update is not feasible, switch to a different, trusted theme or the default WordPress theme until the vulnerability is resolved."], "summary": {"action": "Patch immediately", "impact": "Broken access control allowing unauthorized privilege escalation"}, "threat_synthesis": {"affected_systems": "The affected product is the Ashe theme by the wproyal vendor. All releases from the earliest available version up to and including version 2.266 are impacted. The theme is widely used within WordPress installations.", "description_and_impact": "The vulnerability is a missing authorization flaw in the WordPress Ashe theme that permits incorrectly configured access control security levels. As a result, an attacker can gain unauthorized access to privileged functions, potentially exposing data or gaining control over site settings. This weakness is classified as CWE-862, indicating improper restriction of resources or privileges.", "risk_and_exploitability": "No CVSS, EPSS, or KEV data are provided, leaving the precise severity and exploitation likelihood unclear. However, the issue is a classic access\u2011control flaw, and the likely attack vector is through web requests to the theme\u2019s administrative interfaces. Until a patch or newer version is applied, the risk of an attacker exploiting this vulnerability remains high."}}}}, "created": "2026-04-08T19:29:32.055038+00:00", "updated": "2026-04-08T19:41:48.696259+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wproyal", "wproyal$PRODUCT$ashe"]}