CVE-2026-40809

Vulnerability

The Metro Magazine WordPress theme, versions from n/a through 1.4.1, contains a missing authorization vulnerability. The theme fails to properly enforce access control checks on certain functions, allowing unauthenticated or low-privileged users to execute actions that should require higher privileges. This is a classic broken access control issue, as described in the Patchstack advisory [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted HTTP requests to the vulnerable endpoints without any prior authentication. No special network position or user interaction is required. The attacker simply needs to identify the unprotected functions and trigger them, potentially automating the process to target multiple sites [1].

Impact

Successful exploitation allows an attacker to perform actions normally restricted to higher-privileged users, such as modifying theme settings, accessing sensitive data, or altering site configuration. This can lead to unauthorized information disclosure, data integrity compromise, and partial loss of control over the WordPress installation. The CVSS v3 score of 6.5 reflects a moderate but significant risk [1].

Mitigation

The vulnerability is fixed in version 1.4.2 of the Metro Magazine theme. Users should update to this version or later immediately. If updating is not possible, Patchstack offers a mitigation rule that blocks attacks until the patch is applied. No other workarounds are documented in the available references [1].