{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40730", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-15T09:19:28.916Z", "datePublished": "2026-04-15T10:21:33.831Z", "dateUpdated": "2026-04-15T10:21:33.831Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "themegrill-demo-importer", "product": "ThemeGrill Demo Importer", "vendor": "ThemeGrill", "versions": [{"changes": [{"at": "2.0.0.7", "status": "unaffected"}], "lessThanOrEqual": "2.0.0.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Steven Julian | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-15T12:20:45.288Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in ThemeGrill ThemeGrill Demo Importer themegrill-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects ThemeGrill Demo Importer: from n/a through <= 2.0.0.6.</p>"}], "value": "Missing Authorization vulnerability in ThemeGrill ThemeGrill Demo Importer themegrill-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ThemeGrill Demo Importer: from n/a through <= 2.0.0.6."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-15T10:21:33.831Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/themegrill-demo-importer/vulnerability/wordpress-themegrill-demo-importer-plugin-2-0-0-6-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress ThemeGrill Demo Importer plugin <= 2.0.0.6 - Broken Access Control vulnerability"}}}

{}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.0.0.6]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[2.0.0.7,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ThemeGrill Demo Importer", "source": "cna", "vendor": "ThemeGrill"}, "product": "themegrill_demo_importer", "vendor": "themegrill"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T11:52:45.625273+00:00", "value": {"mitigation_remediation": ["Upgrade ThemeGrill Demo Importer to a version newer than 2.0.0.6.", "Restrict the visibility of the plugin\u2019s import triggers so that only administrators or trusted roles in WordPress can access the Importer functions, ensuring other user roles cannot reach the import page.", "Implement network\u2011level hardening such as a Web Application Firewall to block unauthorized or suspicious requests to the plugin\u2019s import endpoints."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access / Privilege Escalation"}, "threat_synthesis": {"affected_systems": "ThemeGrill Demo Importer plugin for WordPress, all versions up to and including 2.0.0.6. The affected software is distributed under the name ThemeGrill Demo Importer; no additional version details beyond the upper bound are provided.", "description_and_impact": "The vulnerability is a missing authorization flaw in the ThemeGrill Demo Importer WordPress plugin that allows an attacker to exploit incorrectly configured access control levels and perform administrative actions within the plugin without proper authentication, potentially exposing sensitive data or enabling further exploitation.", "risk_and_exploitability": "The CVE does not list an EPSS score or inclusion in the CISA KEV catalog, indicating that exploitation trends are not known to be widespread. Based on the description, it is inferred that an attacker can access the plugin\u2019s import endpoint by sending a crafted HTTP request directly to the import URL or by submitting a form within the WordPress administrative interface. Because the flaw requires no authentication, any actor who can reach the affected site\u2014whether authenticated or not\u2014could trigger the import action and gain access to administrative capabilities. The missing authorization control (CWE\u2011862) represents a high\u2011impact security weakness that can lead to full privilege escalation on the WordPress installation."}}}}, "created": "2026-04-15T13:44:47.516072+00:00", "updated": "2026-04-15T13:44:58.886778+00:00", "vendors": ["themegrill", "themegrill$PRODUCT$themegrill_demo_importer", "wordpress", "wordpress$PRODUCT$wordpress"]}