{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39714", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:29.177Z", "datePublished": "2026-04-08T08:30:49.299Z", "dateUpdated": "2026-04-08T13:09:27.163Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "g5plus-april", "product": "G5Plus April", "vendor": "G5Theme", "versions": [{"lessThanOrEqual": "6.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:45.708Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in G5Theme G5Plus April g5plus-april allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects G5Plus April: from n/a through <= 6.8.</p>"}], "value": "Missing Authorization vulnerability in G5Theme G5Plus April g5plus-april allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects G5Plus April: from n/a through <= 6.8."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:49.299Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/g5plus-april/vulnerability/wordpress-g5plus-april-theme-6-8-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress G5Plus April theme <= 6.8 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T13:08:40.973671Z", "id": "CVE-2026-39714", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T13:09:27.163Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39714", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T13:08:40.973671Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T13:08:31.552Z"}}], "cna": {"title": "WordPress G5Plus April theme <= 6.8 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "G5Theme", "product": "G5Plus April", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "6.8"}], "packageName": "g5plus-april", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:45.708Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/g5plus-april/vulnerability/wordpress-g5plus-april-theme-6-8-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in G5Theme G5Plus April g5plus-april allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects G5Plus April: from n/a through <= 6.8.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in G5Theme G5Plus April g5plus-april allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects G5Plus April: from n/a through <= 6.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:49.299Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39714", "state": "PUBLISHED", "dateUpdated": "2026-04-08T13:09:27.163Z", "dateReserved": "2026-04-07T10:58:29.177Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:49.299Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in G5Theme G5Plus April g5plus-april allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects G5Plus April: from n/a through <= 6.8."}], "id": "CVE-2026-39714", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:44.400", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/g5plus-april/vulnerability/wordpress-g5plus-april-theme-6-8-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "G5Plus April", "source": "cna", "vendor": "G5Theme"}, "product": "g5plus_april", "vendor": "g5theme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T14:37:46.808220+00:00", "value": {"mitigation_remediation": ["Identify WordPress installations using G5Plus April version 6.8 or earlier.", "If an updated theme version is available, apply the upgrade immediately.", "If an update is not available, restrict access to the theme\u2019s administrative functions using web server rules or plugin hardening controls.", "Regularly audit site content and user permissions for unauthorized changes.", "Keep the WordPress core, plugins, and themes updated to the latest secure releases."], "summary": {"action": "Assess Impact", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "The issue affects deployments of the G5Plus April theme for WordPress, versions up to and including 6.8. Admins and users of WordPress sites that have installed this theme are therefore exposed.", "description_and_impact": "Due to a missing authorization check in G5Theme G5Plus April, attackers may access or modify functions that are intended to be restricted. The vulnerability facilitates exploitation of incorrectly configured access control security levels, potentially enabling unauthorized content modification or elevation of privileges on a WordPress site. The weakness is categorized as CWE\u2011862: Missing Authorization.", "risk_and_exploitability": "The CVSS rating of 5.3 indicates a medium severity risk. The EPSS score of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers are likely to reach the vulnerable code through normal web requests targeting the theme\u2019s administrative interfaces; however, this is inferred from the nature of the missing authorization checks, as the explicit attack vector is not detailed in the description."}}}}, "created": "2026-04-08T19:27:22.593747+00:00", "updated": "2026-04-08T19:40:03.140102+00:00", "vendors": ["g5theme", "g5theme$PRODUCT$g5plus_april", "wordpress", "wordpress$PRODUCT$wordpress"]}