{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39612", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:55.140Z", "datePublished": "2026-04-08T08:30:23.931Z", "dateUpdated": "2026-04-08T08:30:23.931Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "kuteshop", "product": "KuteShop", "vendor": "kutethemes", "versions": [{"lessThanOrEqual": "4.2.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:37.172Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects KuteShop: from n/a through <= 4.2.9.</p>"}], "value": "Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KuteShop: from n/a through <= 4.2.9."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:23.931Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/kuteshop/vulnerability/wordpress-kuteshop-theme-4-2-9-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "title": "WordPress KuteShop theme <= 4.2.9 - Arbitrary Shortcode Execution vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KuteShop: from n/a through <= 4.2.9."}], "id": "CVE-2026-39612", "lastModified": "2026-04-08T09:16:30.760", "metrics": {}, "published": "2026-04-08T09:16:30.760", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/kuteshop/vulnerability/wordpress-kuteshop-theme-4-2-9-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "KuteShop", "source": "cna", "vendor": "kutethemes"}, "product": "kuteshop", "vendor": "kutethemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:42:40.732293+00:00", "value": {"mitigation_remediation": ["Update the KuteShop theme to the latest version that fixes the access control issue. If a newer release is unavailable, consider disabling or restricting shortcode processing for unauthenticated users. Monitor site logs for unexpected shortcode activity and review user permissions to ensure only trusted administrators can add or customize shortcodes."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via arbitrary shortcode injection"}, "threat_synthesis": {"affected_systems": "WordPress sites running the KuteShop theme version 4.2.9 or earlier, specifically the version series <=4.2.9, are impacted. The issue originates in the KuteShop theme released by the Kutethemes vendor. No specific patches are listed in the provided references, but the problem exists across all builds up to and including 4.2.9.", "description_and_impact": "The vulnerability stems from missing authorization checks in the KuteShop theme, allowing an attacker to insert and execute arbitrary shortcodes. These shortcodes are processed with the full privileges of the WordPress site, meaning that injected code could read, modify, or delete data and potentially compromise the entire site. The weakness corresponds to CWE-862, reflecting an access control failure that enables unauthorized code execution.", "risk_and_exploitability": "The CVSS score and EPSS probability are not supplied, so the precise numerical severity is unknown. The vulnerability is not listed in the KEV catalog, indicating that no publicly known exploitation instances exist at this time. Nonetheless, because the flaw allows arbitrary code execution with the permissions of the site, the potential damage is high, especially if an attacker can reach the site without authentication. Without a documented exploit, the risk remains theoretical but credible, warranting urgent remediation."}}}}, "created": "2026-04-08T19:29:47.942035+00:00", "updated": "2026-04-08T19:42:05.081843+00:00", "vendors": ["kutethemes", "kutethemes$PRODUCT$kuteshop", "wordpress", "wordpress$PRODUCT$wordpress"]}