{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24615", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:32:24.372Z", "datePublished": "2026-01-23T14:29:05.288Z", "dateUpdated": "2026-04-23T14:14:07.075Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "cream-magazine", "product": "Cream Magazine", "vendor": "themebeez", "versions": [{"lessThanOrEqual": "2.1.10", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "John P | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:49.466Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in themebeez Cream Magazine cream-magazine allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Cream Magazine: from n/a through <= 2.1.10.</p>"}], "value": "Missing Authorization vulnerability in themebeez Cream Magazine cream-magazine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cream Magazine: from n/a through <= 2.1.10."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:07.075Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/cream-magazine/vulnerability/wordpress-cream-magazine-theme-2-1-10-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Cream Magazine theme <= 2.1.10 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T17:47:48.463720Z", "id": "CVE-2026-24615", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T21:52:30.716Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24615", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T17:47:48.463720Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T17:47:43.101Z"}}], "cna": {"title": "WordPress Cream Magazine theme <= 2.1.10 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "John P | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "themebeez", "product": "Cream Magazine", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.1.10"}], "packageName": "cream-magazine", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:49.466Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/cream-magazine/vulnerability/wordpress-cream-magazine-theme-2-1-10-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in themebeez Cream Magazine cream-magazine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cream Magazine: from n/a through <= 2.1.10.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in themebeez Cream Magazine cream-magazine allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Cream Magazine: from n/a through <= 2.1.10.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:07.075Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24615", "state": "PUBLISHED", "dateUpdated": "2026-04-23T14:14:07.075Z", "dateReserved": "2026-01-23T12:32:24.372Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:29:05.288Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in themebeez Cream Magazine cream-magazine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cream Magazine: from n/a through <= 2.1.10."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en themebeez Cream Magazine cream-magazine permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Cream Magazine: desde n/a hasta &lt;= 2.1.10."}], "id": "CVE-2026-24615", "lastModified": "2026-04-23T15:36:54.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-23T15:16:20.420", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/cream-magazine/vulnerability/wordpress-cream-magazine-theme-2-1-10-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:30:22.121661+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest Cream Magazine theme version that contains the access\u2011control fix", "If an upgrade is not immediately possible, disable the theme or remove it from the site until the patch is applied", "Harden WordPress by restricting theme editing and installation privileges to administrators only, using file\u2011system permissions and limiting access to the wp\u2011admin area"], "summary": {"action": "Update Theme", "impact": "Broken Access Control leading to unauthorized privileged actions"}, "threat_synthesis": {"affected_systems": "Themebeez\u2019s Cream Magazine theme, versions up through 2.1.10, is affected. The vulnerability applies to all installations running any of those versions and does not include newer releases beyond 2.1.10.", "description_and_impact": "The Cream Magazine theme for WordPress contains a missing authorization flaw that allows attackers to exploit incorrectly configured access control security levels. The weakness permits unauthorized users to access functionality reserved for privileged users, potentially enabling unauthorized configuration changes, data leakage, or further compromise of the site. Because the flaw is a broken access control (CWE\u2011862), any exposed administrative endpoints can be accessed without proper authentication or authorization.", "risk_and_exploitability": "The issue has a CVSS score of 5.3, indicating moderate severity, and an EPSS score of less than 1\u202f%, meaning the likelihood of exploitation is currently very low. The vulnerability is not listed in the CISA KEV catalog. Attackers could exploit the flaw by sending crafted HTTP requests to the theme\u2019s administrative endpoints, possibly without needing prior authentication. Because it concerns access control, the risk is higher for sites with exposed admin interfaces."}}}}, "created": "2026-01-26T11:52:39.573726+00:00", "updated": "2026-04-16T01:45:20.644834+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}