CVE-2026-40809
Received Received - Intake
Missing Authorization in Rara Themes Metro Magazine

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Patchstack

Description
Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.4.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-40809
EUVD
EUVD-2026-37058
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rara_themes metro_magazine From 1.0.0 (inc) to 1.4.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40809 is a Missing Authorization vulnerability in the WordPress Metro Magazine Theme (version 1.4.1 and below). It is a Broken Access Control issue where missing authorization checks allow unauthenticated users to perform actions that should require higher privileges.

This vulnerability is classified as medium priority with a CVSS score of 6.5 and falls under the OWASP Top 10 category A1: Broken Access Control.

Compliance Impact

The vulnerability is a Missing Authorization issue that allows unauthenticated users to perform higher-privileged actions due to broken access control.

Such broken access control vulnerabilities can lead to unauthorized access or modification of data, which may result in non-compliance with standards and regulations like GDPR and HIPAA that require strict access controls to protect sensitive information.

Therefore, if exploited, this vulnerability could potentially cause violations of these regulations by allowing unauthorized data access or changes.

Impact Analysis

This vulnerability can allow attackers to exploit incorrectly configured access control security levels, enabling them to perform privileged actions without authentication.

Such exploitation can lead to unauthorized changes or actions on your website, potentially compromising its integrity and availability.

Because the vulnerability can be exploited in mass campaigns targeting thousands of websites, it poses a significant risk if not patched or mitigated.

Detection Guidance

This vulnerability involves missing authorization checks in the Metro Magazine WordPress theme, allowing unauthenticated users to perform privileged actions. Detection typically involves monitoring for unauthorized access attempts or unusual activity related to theme functions.

While no specific commands are provided in the resources, common detection methods include reviewing web server logs for suspicious requests targeting the Metro Magazine theme endpoints, and using vulnerability scanners that check for broken access control issues.

Mitigation Strategies

The immediate recommended step is to update the Metro Magazine WordPress theme to version 1.4.2 or later, where the vulnerability has been patched.

If updating immediately is not possible, applying Patchstack's mitigation rule to block attacks targeting this vulnerability is advised as a temporary measure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40809. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart