CVE-2026-40809 MEDIUM

CVE-2026-40809: WordPress Metro Magazine theme <= 1.4.1 - Broken Access Control vulnerability

Vendor Rara Themes
Product Metro Magazine
Weakness CWE-862 · Missing authorization
Published June 16, 2026
Last update June 16, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.4.1.

Explanation of Vulnerability in Simple Terms

02Summary

Metro Magazine by Rara Themes contains a missing authorization flaw that allows unauthenticated attackers to modify site data over the network. The vulnerability affects versions up to 1.4.1 and requires no user interaction. An attacker can alter content or settings without needing valid credentials, potentially compromising site integrity.

What an attacker can do

03Attacker Capabilities

Modify site data and settings without authentication.

Potential impact on your site

04Site Impact

Unauthorized changes to site content, settings, or data by remote attackers.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 16, 2026 CVE published

Related vulnerabilities

08Related CVE