CVE-2026-31915
Received Received - Intake
Missing Authorization in Flatsome UX-Themes Enables Unauthorized Access

Publication date: 2026-03-13

Last updated on: 2026-04-29

Assigner: Patchstack

Description
Missing Authorization vulnerability in UX-themes Flatsome flatsome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flatsome: from n/a through <= 3.19.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31915
EUVD
EUVD-2026-11788
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ux-themes flatsome to 3.19.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31915 is a Broken Access Control vulnerability in the WordPress Flatsome Theme versions up to and including 3.19.6.

It arises from missing authorization, authentication, or nonce token checks within certain functions, which allows unauthenticated users to perform actions that normally require higher privileges.

This means that the theme does not properly restrict access to some features, potentially letting attackers bypass security controls.

Impact Analysis

The vulnerability allows unauthenticated users to perform actions that require higher privileges, which could lead to unauthorized changes or manipulations within the affected theme.

However, the CVSS score of 5.3 indicates a low priority and low impact threat, and exploitation is considered unlikely.

Users of the Flatsome Theme versions up to 3.19.6 should update to version 3.19.7 or later to mitigate this risk.

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from missing authorization and authentication checks in the Flatsome WordPress theme up to version 3.19.6, allowing unauthenticated users to perform privileged actions.

Detection typically involves checking the version of the Flatsome theme installed on your WordPress site.

You can detect the vulnerable version by running commands to identify the theme version, such as:

  • Using WP-CLI: wp theme list --status=active
  • Checking the style.css file in the theme directory (usually wp-content/themes/flatsome/style.css) for the version number.

Additionally, monitoring web server logs for suspicious unauthenticated requests attempting to access privileged functions related to the Flatsome theme may help detect exploitation attempts.

Mitigation Strategies

The primary and immediate mitigation step is to update the Flatsome WordPress theme to version 3.19.7 or later, where this vulnerability is resolved.

If updating immediately is not possible, consider restricting access to the theme files and administrative functions to trusted users only, and monitor for any unusual activity.

Regularly review and apply security patches and updates provided by the theme developer to reduce exposure to such vulnerabilities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31915. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart