{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27051", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:30.505Z", "datePublished": "2026-03-25T16:14:53.781Z", "dateUpdated": "2026-03-25T16:14:53.781Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "golo", "product": "Golo", "vendor": "uxper", "versions": [{"lessThanOrEqual": "<= 1.7.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:32.729Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Privilege Assignment vulnerability in uxper Golo golo allows Privilege Escalation.<p>This issue affects Golo: from n/a through <= 1.7.0.</p>"}], "value": "Incorrect Privilege Assignment vulnerability in uxper Golo golo allows Privilege Escalation.This issue affects Golo: from n/a through <= 1.7.0."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "Privilege Escalation"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "Incorrect Privilege Assignment", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:53.781Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-0-privilege-escalation-vulnerability?_s_id=cve"}], "title": "WordPress Golo theme <= 1.7.0 - Privilege Escalation vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Privilege Assignment vulnerability in uxper Golo golo allows Privilege Escalation.This issue affects Golo: from n/a through <= 1.7.0."}], "id": "CVE-2026-27051", "lastModified": "2026-03-25T17:16:54.390", "metrics": {}, "published": "2026-03-25T17:16:54.390", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-0-privilege-escalation-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:45:15.869975+00:00", "value": {"mitigation_remediation": ["Upgrade Golo theme to the latest released version that resolves the privilege assignment issue", "If upgrading is not immediately possible, consider disabling the theme or removing it from the WordPress installation while monitoring user roles for unauthorized changes", "Verify that existing user accounts do not have elevated capabilities beyond those intended", "Apply any security best practices such as restricting role creation and using strong authentication for administrative accounts"], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the Golo theme from the uxper vendor with a version of 1.7.0 or earlier are vulnerable. All releases from the initial version up through 1.7.0 are affected. Other versions are not listed as impacted.", "description_and_impact": "The Golo theme contains an incorrect privilege assignment flaw that allows a user with insufficient rights to elevate privileges within a WordPress site. An attacker can exploit this to create or upgrade a user account to the administrator level, gaining full control over the site, including content, settings, and other users' data. The weakness stems from improper handling of role capabilities, and it falls under CWE\u2011266.", "risk_and_exploitability": "No CVSS score or EPSS value is published, and the vulnerability is not listed in the CISA KEV catalog. Despite the lack of publicly available metrics, the flaw permits a direct privilege escalation path that requires only a legitimate WordPress user account. An attacker with edit permissions can leverage the theme code to grant themselves administrator rights, making the risk significant and the exploitation straightforward once the attacker gains any site access."}}}}, "created": "2026-03-25T21:44:06.490925+00:00", "updated": "2026-03-25T21:44:06.490971+00:00", "vendors": []}