{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39649", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:48.107Z", "datePublished": "2026-04-08T08:30:34.012Z", "dateUpdated": "2026-04-08T08:30:34.012Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "royale-news", "product": "Royale News", "vendor": "themebeez", "versions": [{"lessThanOrEqual": "2.2.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:34.614Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in themebeez Royale News royale-news allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Royale News: from n/a through <= 2.2.4.</p>"}], "value": "Missing Authorization vulnerability in themebeez Royale News royale-news allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royale News: from n/a through <= 2.2.4."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:34.012Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/royale-news/vulnerability/wordpress-royale-news-theme-2-2-4-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Royale News theme <= 2.2.4 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in themebeez Royale News royale-news allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royale News: from n/a through <= 2.2.4."}], "id": "CVE-2026-39649", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:35.883", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/royale-news/vulnerability/wordpress-royale-news-theme-2-2-4-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Royale News", "source": "cna", "vendor": "themebeez"}, "product": "royale_news", "vendor": "themebeez"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:45:41.734744+00:00", "value": {"mitigation_remediation": ["Update Royale News to version 2.2.5 or newer from the theme developer or trusted repository.", "If an update cannot be performed immediately, disable the Royale News theme or switch to an alternative theme to eliminate exposure.", "Verify that WordPress core, other themes, and plugins are kept up to date and check user roles to ensure only trusted administrators have elevated privileges.", "Monitor access logs for suspicious activity and investigate any unauthorized actions promptly."], "summary": {"action": "Patch immediately", "impact": "Unauthorized access"}, "threat_synthesis": {"affected_systems": "The flaw exists in the themebeez Royale News WordPress theme and applies to all releases up through version 2.2.4. WordPress sites that have installed any version 2.2.4 or earlier are affected.", "description_and_impact": "The problem is a missing authorization flaw in the Royale News theme that can be exploited by attackers lacking proper credentials. The vulnerability permits actions that should normally require higher privilege, potentially compromising site content. Because the CVE description does not detail exact capabilities, it is inferred that an attacker could view or modify data that should be protected.", "risk_and_exploitability": "No CVSS or EPSS metrics are provided, but the vulnerability is a classic broken\u2011access\u2011control flaw (CWE\u2011862) that can be exploited remotely through the WordPress interface. The issue is not listed in the CISA KEV catalog, suggesting no publicly documented exploitation yet. The potential impact on confidentiality, integrity, and availability means that the risk is moderate to high, especially for sites that use the affected theme without additional safeguards."}}}}, "created": "2026-04-08T19:28:22.905579+00:00", "updated": "2026-04-08T19:41:26.704958+00:00", "vendors": ["themebeez", "themebeez$PRODUCT$royale_news", "wordpress", "wordpress$PRODUCT$wordpress"]}