CVE-2026-24615

Vulnerability

Overview The Cream Magazine WordPress theme, versions 2.1.10 and earlier, contains a missing authorization vulnerability. This issue stems from incorrectly configured access control security levels, which allows unauthenticated levels, allowing exploitation of broken access control mechanisms [1]. The vulnerability is classified as a broken access control issue, meaning there is a missing authorization, authentication, or nonce token check in a function that could enable an unprivileged user to execute a higher-privileged action [1].

Exploitation and

Attack Surface Attackers can exploit this vulnerability without requiring authentication, as the access control checks are missing. The attack surface is broad because the theme is used on many WordPress sites, and such vulnerabilities are commonly leveraged in mass-exploit campaigns targeting thousands of websites regardless of their traffic or popularity [1]. No special network position or privileged access is needed to trigger the flaw the flaw.

Impact

Successful exploitation allows an attacker to perform actions that should require higher privileges, potentially leading to unauthorized access or modification of site content and settings. The CVSS v3 base score is 5.3 (Medium), indicating a moderate severity [1] moderate severity with low impact on confidentiality and integrity impact.

Mitigation

Status The theme was last updated 3 months ago and is unlikely to receive further patches [1]. The vendor recommends removing and replacing the theme. Deactivating the theme does not remove the security threat unless a mitigation rule (e.g., from Patchstack) is deployed [1]. Immediate action is advised, such as updating the theme if a patch becomes available, or seeking help from a hosting provider or web developer [1].