CVE-2026-22343: WordPress WordPress Dating Theme theme <= 11.2.0 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in WordPress Dating Theme <= 11.2.0 versions.
Metrics
- CVSS v3.1
- 8.6
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A broken access control vulnerability affects the WordPress Dating Theme plugin by PremiumPress Limited, versions 11.2.0 and below. The flaw is reachable over the network without any authentication, meaning any remote visitor can trigger the affected functionality. Successful exploitation gives an attacker read access to sensitive data and limited ability to modify or disrupt the affected site. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-22343 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle this theme.
AvailableHarborGuard scores this CVE at 8.6 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing, ensuring it lands in the right team inbox within each customer organization.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment PremiumPress Limited ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress service over the network; no prior foothold on the host is required.
- AuthenticationNot required
No account or session token is needed; the vulnerable functionality is accessible to any unauthenticated HTTP request.
- Victim interactionNot required
The attacker does not need to trick or involve any user to trigger the vulnerability.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or special environmental factors must align for the attack to succeed.
Blast Radius
- An attacker reads sensitive site data, which may include user profile information, private messages, or stored credentials held in the dating platform.
- An attacker makes limited modifications to persisted site content or configuration rows within the application.
- An attacker causes limited disruption to site availability, degrading the experience for users of the dating platform.
- Because no authentication barrier exists, exploitation can be scripted and run at scale against any publicly accessible instance of the theme.
How HarborGuard Handles This
Available on HarborGuard: automated detection for this CVE is active and will flag any image found to include WordPress Dating Theme 11.2.0 or below. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger the rebuild-and-PR flow the moment PremiumPress Limited publishes a fix; for customers with auto-remediation enabled, that means a rebuilt image, a regression test run, and a pull request opened against affected workloads with no manual steps required. In the interim, compensating controls worth evaluating include network-policy rules that restrict unauthenticated external access to the WordPress installation, web application firewall rules targeting the affected endpoint, and disabling or replacing the theme on non-public-facing environments until a patch is available.
- PremiumPress Limited. / WordPress Dating Theme≤ 11.2.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L