CVE-2026-31915
Missing Authorization in Flatsome UX-Themes Enables Unauthorized Access
Publication date: 2026-03-13
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ux-themes | flatsome | to 3.19.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31915 is a Broken Access Control vulnerability in the WordPress Flatsome Theme versions up to and including 3.19.6.
It arises from missing authorization, authentication, or nonce token checks within certain functions, which allows unauthenticated users to perform actions that normally require higher privileges.
This means that the theme does not properly restrict access to some features, potentially letting attackers bypass security controls.
How can this vulnerability impact me? :
The vulnerability allows unauthenticated users to perform actions that require higher privileges, which could lead to unauthorized changes or manipulations within the affected theme.
However, the CVSS score of 5.3 indicates a low priority and low impact threat, and exploitation is considered unlikely.
Users of the Flatsome Theme versions up to 3.19.6 should update to version 3.19.7 or later to mitigate this risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization and authentication checks in the Flatsome WordPress theme up to version 3.19.6, allowing unauthenticated users to perform privileged actions.
Detection typically involves checking the version of the Flatsome theme installed on your WordPress site.
You can detect the vulnerable version by running commands to identify the theme version, such as:
- Using WP-CLI: wp theme list --status=active
- Checking the style.css file in the theme directory (usually wp-content/themes/flatsome/style.css) for the version number.
Additionally, monitoring web server logs for suspicious unauthenticated requests attempting to access privileged functions related to the Flatsome theme may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update the Flatsome WordPress theme to version 3.19.7 or later, where this vulnerability is resolved.
If updating immediately is not possible, consider restricting access to the theme files and administrative functions to trusted users only, and monitor for any unusual activity.
Regularly review and apply security patches and updates provided by the theme developer to reduce exposure to such vulnerabilities.