{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39637", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:43.491Z", "datePublished": "2026-04-08T08:30:30.861Z", "dateUpdated": "2026-04-08T08:30:30.861Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "mogi", "product": "Mogi", "vendor": "SpabRice", "versions": [{"lessThanOrEqual": "1.2.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:36.727Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in SpabRice Mogi mogi allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Mogi: from n/a through <= 1.2.3.</p>"}], "value": "Missing Authorization vulnerability in SpabRice Mogi mogi allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mogi: from n/a through <= 1.2.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:30.861Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/mogi/vulnerability/wordpress-mogi-theme-1-2-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "title": "WordPress Mogi theme <= 1.2.3 - Arbitrary Shortcode Execution vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in SpabRice Mogi mogi allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mogi: from n/a through <= 1.2.3."}], "id": "CVE-2026-39637", "lastModified": "2026-04-08T09:16:34.410", "metrics": {}, "published": "2026-04-08T09:16:34.410", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/mogi/vulnerability/wordpress-mogi-theme-1-2-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.2.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Mogi", "source": "cna", "vendor": "SpabRice"}, "product": "mogi", "vendor": "spabrice"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:10:18.891727+00:00", "value": {"mitigation_remediation": ["Upgrade the Mogi theme to a version newer than 1.2.3 as soon as an update is available.", "If an update cannot be applied immediately, restrict or disable the shortcode functionality within the theme, or remove the theme entirely from the site.", "Monitor the site for unexpected shortcode usage or new files that may indicate exploitation."], "summary": {"action": "Patch Now", "impact": "Arbitrary Shortcode Execution allowing Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of the SpabRice Mogi theme up through version 1.2.3 are affected. This includes every WordPress site that has not upgraded beyond that threshold and that still uses the theme.", "description_and_impact": "A Missing Authorization flaw in the SpabRice Mogi WordPress theme allows an attacker to execute arbitrary shortcodes. Because shortcodes can run PHP code inside WordPress, this provides the attacker with the capability to run arbitrary code on the host\u2014effectively remote code execution. The weakness is rooted in a missing authorization check, aligning with CWE\u2011862. The potential impact is that any user capable of adding or triggering shortcodes could gain full control over the site\u2019s execution context, placing confidentiality, integrity, and availability at risk.", "risk_and_exploitability": "The CVSS score is not supplied, but remote code execution is deemed a high\u2011severity outcome. EPSS data is missing and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no confirmed exploitation yet. Nonetheless, the attack vector is web\u2011based and only requires the ability to load a malicious shortcode, a condition that many sites can satisfy without full administrative privilege if the theme\u2019s shortcode parsing is improperly protected. Consequently the risk is significant and the likelihood of exploitation is uncertain but present."}}}}, "created": "2026-04-08T19:29:24.648822+00:00", "updated": "2026-04-08T19:41:38.061227+00:00", "vendors": ["spabrice", "spabrice$PRODUCT$mogi", "wordpress", "wordpress$PRODUCT$wordpress"]}