{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25454", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:53.792Z", "datePublished": "2026-03-25T16:14:50.201Z", "dateUpdated": "2026-03-26T16:50:46.129Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "the-league", "product": "The League", "vendor": "MVPThemes", "versions": [{"lessThanOrEqual": "<= 4.4.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:29.444Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in MVPThemes The League the-league allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects The League: from n/a through <= 4.4.1.</p>"}], "value": "Missing Authorization vulnerability in MVPThemes The League the-league allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The League: from n/a through <= 4.4.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:50.201Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/the-league/vulnerability/wordpress-the-league-theme-4-4-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress The League theme <= 4.4.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25454", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:43:52.539168Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:50:46.129Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25454", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:43:52.539168Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:31:58.856Z"}}], "cna": {"title": "WordPress The League theme <= 4.4.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "MVPThemes", "product": "The League", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 4.4.1"}], "packageName": "the-league", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:29.444Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/the-league/vulnerability/wordpress-the-league-theme-4-4-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in MVPThemes The League the-league allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The League: from n/a through <= 4.4.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in MVPThemes The League the-league allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects The League: from n/a through <= 4.4.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:50.201Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25454", "state": "PUBLISHED", "dateUpdated": "2026-03-26T16:40:30.690Z", "dateReserved": "2026-02-02T12:53:53.792Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:50.201Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in MVPThemes The League the-league allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The League: from n/a through <= 4.4.1."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n Faltante en MVPThemes The League the-league permite Explotar Niveles de Seguridad de Control de Acceso Incorrectamente Configurados. Este problema afecta a The League: desde n/a hasta &lt;= 4.4.1."}], "id": "CVE-2026-25454", "lastModified": "2026-03-26T17:16:32.470", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:51.473", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/the-league/vulnerability/wordpress-the-league-theme-4-4-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.4.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "The League", "source": "cna", "vendor": "MVPThemes"}, "product": "the_league", "vendor": "mvpthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T19:30:01.569031+00:00", "value": {"mitigation_remediation": ["Upgrade MVPThemes The League to the latest version (any release greater than 4.4.1), ensuring the patch is applied immediately.", "If a timely upgrade is not possible, deactivate the theme or switch to a secure alternative theme to prevent further exploitation.", "Verify that user role capabilities and permissions are correctly configured, and review any custom access controls to confirm authority checks are enforced.", "Monitor site activity for unauthorized content changes or configuration alterations until the vulnerability is fully remediated."], "summary": {"action": "Update Theme", "impact": "Unauthorized Access via Broken Access Control"}, "threat_synthesis": {"affected_systems": "All installations of the MVPThemes The League WordPress theme through version 4.4.1 are affected. Any WordPress site that has this theme activated and has not applied a patch beyond 4.4.1 is vulnerable, regardless of the WordPress core version.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows actors to bypass intended access restrictions within the MVPThemes The League WordPress theme. By exploiting incorrectly configured security levels, a user may perform actions normally reserved for higher privilege levels, such as modifying theme settings or inserting content. This defect is identified as CWE-862, indicating that authority checks are absent or inadequate, which can compromise the confidentiality, integrity, or availability of the WordPress site.", "risk_and_exploitability": "The CVE description does not specify an explicit attack vector, but the nature of the flaw suggests the likely attack path is via a web\u2011interface request that triggers the insecure code path; this inference is made because the vulnerability involves configuration of web\u2011based access controls. No CVSS score is provided, and the EPSS score is unavailable, so the overall severity must be judged by the high potential impact of unauthorized access. The vulnerability is not listed in the CISA KEV catalog, which reduces the evidence that it is actively exploited, but the risk remains significant for exposed sites."}}}}, "created": "2026-03-25T21:44:25.170484+00:00", "updated": "2026-03-26T11:38:20.666842+00:00", "vendors": ["mvpthemes", "mvpthemes$PRODUCT$the_league", "wordpress", "wordpress$PRODUCT$wordpress"]}