The Spacious WordPress theme contains a missing authorization vulnerability (CWE-862) in the 'welcome_notice_import_handler' function. This flaw allows authenticated users with low privileges (Subscriber-level and above) to import demo data into the site, bypassing intended capability checks. The vulnerability affects all versions up to and including 1.9.11. The CVSS 3.1 base score is 4.3, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. No known exploits are reported in the wild, and no patch or remediation information is currently available.

An attacker with Subscriber-level or higher access can import demo data into the WordPress site using the Spacious theme, potentially modifying site content or configuration without proper authorization. This does not impact confidentiality or availability but allows unauthorized integrity modification of site data.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Subscriber-level access to trusted users only. Monitor for updates from the themegrill vendor regarding patches or official mitigations.