CVE-2026-39648
Missing Authorization in Cream Blog β€ 2.1.7 Enables Unauthorized Access
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themebeez | cream_blog | to 2.1.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Broken Access Control issue that allows unauthenticated users to perform actions reserved for higher-privileged users. Such unauthorized access can lead to exposure or manipulation of sensitive data, which may impact compliance with standards like GDPR and HIPAA that require strict access controls and protection of personal and health information.
Although the CVSS severity score is relatively low (5.3), the presence of missing authorization checks increases the risk of data breaches or unauthorized data processing, potentially violating regulatory requirements for data confidentiality and integrity.
No official patch is available, and the theme is unlikely to receive future fixes, which means organizations using this theme must take immediate mitigation steps to maintain compliance.
Can you explain this vulnerability to me?
CVE-2026-39648 is a Broken Access Control vulnerability found in the WordPress Cream Blog Theme versions up to and including 2.1.7.
The issue arises from missing authorization, authentication, or nonce token checks within certain functions of the theme.
This allows unauthenticated users to perform actions that should be restricted to higher-privileged users.
It is classified under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability allows unauthorized users to perform privileged actions on websites using the vulnerable Cream Blog theme.
Although it has a CVSS severity score of 5.3, indicating a low priority threat, it is commonly exploited in mass campaigns targeting many websites indiscriminately.
The risk remains even if the theme is deactivated unless a specific mitigation rule is applied.
Without proper mitigation, attackers could potentially manipulate site content or settings, leading to security breaches.
Immediate actions recommended include removing and replacing the vulnerable theme or seeking help from hosting providers or web developers.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization, authentication, or nonce token checks within certain functions of the Cream Blog WordPress theme up to version 2.1.7, allowing unauthenticated users to perform privileged actions.
Detection would involve checking if the vulnerable Cream Blog theme version (<= 2.1.7) is installed and active on your WordPress site.
Since the vulnerability is related to broken access control in theme functions, network detection might include monitoring for unusual or unauthorized HTTP requests targeting theme-specific endpoints or actions.
No specific commands are provided in the available resources to detect this vulnerability directly.
What immediate steps should I take to mitigate this vulnerability?
Immediate recommended actions include removing and replacing the vulnerable Cream Blog theme (version 2.1.7 or earlier) from your WordPress installation.
Since no official patch is available and deactivating the theme alone does not eliminate the risk, applying a mitigation rule from Patchstack or seeking assistance from your hosting provider or web developers is advised.