{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39648", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:48.107Z", "datePublished": "2026-04-08T08:30:33.766Z", "dateUpdated": "2026-04-09T15:31:38.730Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "cream-blog", "product": "Cream Blog", "vendor": "themebeez", "versions": [{"lessThanOrEqual": "2.1.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:38.249Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in themebeez Cream Blog cream-blog allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Cream Blog: from n/a through <= 2.1.7.</p>"}], "value": "Missing Authorization vulnerability in themebeez Cream Blog cream-blog allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cream Blog: from n/a through <= 2.1.7."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:33.766Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/cream-blog/vulnerability/wordpress-cream-blog-theme-2-1-7-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Cream Blog theme <= 2.1.7 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T15:31:17.302365Z", "id": "CVE-2026-39648", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:31:38.730Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39648", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T15:31:17.302365Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:31:08.463Z"}}], "cna": {"title": "WordPress Cream Blog theme <= 2.1.7 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "themebeez", "product": "Cream Blog", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.1.7"}], "packageName": "cream-blog", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:38.249Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/cream-blog/vulnerability/wordpress-cream-blog-theme-2-1-7-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in themebeez Cream Blog cream-blog allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cream Blog: from n/a through <= 2.1.7.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in themebeez Cream Blog cream-blog allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Cream Blog: from n/a through <= 2.1.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:33.766Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39648", "state": "PUBLISHED", "dateUpdated": "2026-04-09T15:31:38.730Z", "dateReserved": "2026-04-07T10:57:48.107Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:33.766Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in themebeez Cream Blog cream-blog allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cream Blog: from n/a through <= 2.1.7."}], "id": "CVE-2026-39648", "lastModified": "2026-04-09T16:16:29.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:35.753", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/cream-blog/vulnerability/wordpress-cream-blog-theme-2-1-7-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Cream Blog", "source": "cna", "vendor": "themebeez"}, "product": "cream_blog", "vendor": "themebeez"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:45:54.875014+00:00", "value": {"mitigation_remediation": ["Update the Cream Blog theme to the latest released version to remove the missing authorization flaw.", "If an update cannot be performed immediately, deactivate or uninstall the theme to block further exploitation.", "Verify that no backdoor or residual malicious code remains on the site after the update or removal."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "All WordPress installations using the Cream Blog theme from themebeez with versions up to and including 2.1.7 are impacted. Any site that has loaded this theme is vulnerable.", "description_and_impact": "Missing authorization controls in the Cream Blog WordPress theme allow an attacker to perform actions beyond the permissions a user should have. The flaw enables unauthorized modification, viewing, or deletion of site content, settings, or user data, potentially exposing sensitive information or disrupting normal site operation.", "risk_and_exploitability": "No publicly reported exploitation or EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The description indicates a broken access control weakness that could be exploited remotely via the web interface. Based on the description, it is inferred that an attacker would need to use a user account that has been granted elevated privileges or attempt to elevate privileges through other means. The overall risk remains high for sites that still use the affected theme version, given the potential for both data theft and site disruption."}}}}, "created": "2026-04-08T19:28:24.017557+00:00", "updated": "2026-04-08T19:41:27.848112+00:00", "vendors": ["themebeez", "themebeez$PRODUCT$cream_blog", "wordpress", "wordpress$PRODUCT$wordpress"]}