{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25460", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:53.793Z", "datePublished": "2026-03-25T16:14:51.015Z", "dateUpdated": "2026-03-27T13:47:28.673Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "ave-core", "product": "Ave Core", "vendor": "LiquidThemes", "versions": [{"lessThanOrEqual": "<= 2.9.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Rafie Muhammad | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:30.260Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in LiquidThemes Ave Core ave-core allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Ave Core: from n/a through <= 2.9.1.</p>"}], "value": "Missing Authorization vulnerability in LiquidThemes Ave Core ave-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ave Core: from n/a through <= 2.9.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:51.015Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ave-core/vulnerability/wordpress-ave-core-plugin-2-9-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Ave Core plugin <= 2.9.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:32:21.919724Z", "id": "CVE-2026-25460", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:47:28.673Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25460", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:32:21.919724Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:31:57.071Z"}}], "cna": {"title": "WordPress Ave Core plugin <= 2.9.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Rafie Muhammad | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "LiquidThemes", "product": "Ave Core", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 2.9.1"}], "packageName": "ave-core", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:30.260Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/ave-core/vulnerability/wordpress-ave-core-plugin-2-9-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in LiquidThemes Ave Core ave-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ave Core: from n/a through <= 2.9.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in LiquidThemes Ave Core ave-core allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Ave Core: from n/a through <= 2.9.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:51.015Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25460", "state": "PUBLISHED", "dateUpdated": "2026-03-27T13:47:28.673Z", "dateReserved": "2026-02-02T12:53:53.793Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:51.015Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in LiquidThemes Ave Core ave-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ave Core: from n/a through <= 2.9.1."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en LiquidThemes Ave Core ave-core permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Ave Core: desde n/a hasta &lt;= 2.9.1."}], "id": "CVE-2026-25460", "lastModified": "2026-03-30T13:27:12.923", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:52.147", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ave-core/vulnerability/wordpress-ave-core-plugin-2-9-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.9.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Ave Core", "source": "cna", "vendor": "LiquidThemes"}, "product": "ave_core", "vendor": "liquidthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-27T16:01:41.341647+00:00", "value": {"mitigation_remediation": ["Update the Ave Core plugin to the latest version that resolves the access control issue (versions newer than 2.9.1).", "If an upgrade is not immediately possible, disable the plugin entirely to block access to its vulnerable functionality.", "Review and audit the plugin\u2019s configured permissions and restrict administrative access to trusted users only."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "All installations of the Ave Core plugin from the first released version through version 2.9.1 are affected. Site administrators who use this plugin on WordPress should identify whether those specific plugin versions are in use and ensure that the plugin is updated or removed.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows attackers to exploit incorrectly configured access control security levels in the Ave Core plugin. Because the plugin\u2019s administrative functions are not properly protected, an attacker could gain unauthorized access to protected configuration settings or other sensitive functionality provided by the plugin, potentially enabling further misuse of the WordPress site.", "risk_and_exploitability": "The CVSS score of 6.3 places this vulnerability in the medium severity range, and the EPSS score of less than 1% together with the absence from the CISA KEV catalog indicate that the likelihood of active exploitation is currently low. Nevertheless, the flaw can be leveraged by users with limited site privileges to access privileged plugin pages, which may lead to unauthorized configuration changes or disclosure of protected data. Attackers would likely traverse the plugin\u2019s administrative interface; however, detailed exploitation steps are not supplied in the description, so the risk assessment is based on the nature of the broken access control."}}}}, "created": "2026-03-25T21:44:20.011206+00:00", "updated": "2026-03-27T20:26:19.967628+00:00", "vendors": ["liquidthemes", "liquidthemes$PRODUCT$ave_core", "wordpress", "wordpress$PRODUCT$wordpress"]}