CVE-2026-22450 identifies a missing authorization vulnerability in the Select-Themes Don Peppe product, affecting versions up to and including 1.3. The core issue stems from incorrectly configured access control security levels, which allow authenticated users with limited privileges (PR:L) to access resources or functionalities that should be restricted. The vulnerability is exploitable remotely over the network (AV:N) without requiring user interaction (UI:N). The CVSS v3.1 base score of 4.3 reflects a medium severity, primarily due to the limited impact on confidentiality (C:L), and no impact on integrity (I:N) or availability (A:N). The vulnerability does not allow privilege escalation but can lead to unauthorized information disclosure. No patches or known exploits are currently documented, indicating that the vulnerability is either newly discovered or not yet widely exploited. The issue likely arises from missing or improperly implemented authorization checks in the theme's code, which could allow attackers to bypass intended access restrictions. Given that Don Peppe is a WordPress theme product, the vulnerability could affect websites using this theme, potentially exposing sensitive site data or configuration details to unauthorized users.

For European organizations using the Select-Themes Don Peppe theme, this vulnerability could lead to unauthorized disclosure of sensitive information, such as configuration data, user details, or other protected content managed by the theme. While the impact is limited to confidentiality and does not affect data integrity or system availability, the exposure of sensitive information could facilitate further attacks or data breaches. Organizations in sectors with strict data protection regulations, such as finance, healthcare, or government, may face compliance risks if sensitive data is exposed. The vulnerability's requirement for some level of authentication reduces the risk from anonymous attackers but still poses a threat from insider threats or compromised accounts. The absence of known exploits reduces immediate risk but does not eliminate the need for proactive mitigation. Given the widespread use of WordPress and its themes across Europe, especially in small to medium enterprises and public sector websites, the potential attack surface is significant. Failure to address this vulnerability could undermine trust and lead to reputational damage.

Organizations should immediately audit their WordPress installations to identify the use of the Don Peppe theme, particularly versions up to 1.3. Until an official patch is released, administrators should review and tighten access control configurations related to the theme, ensuring that only authorized roles have access to sensitive theme functionalities. Implementing the principle of least privilege for user roles can reduce the risk of exploitation. Monitoring logs for unusual access patterns or privilege misuse is recommended to detect potential exploitation attempts. If possible, temporarily disabling or replacing the Don Peppe theme with a secure alternative can mitigate risk. Keeping WordPress core and all plugins/themes updated is critical to prevent exploitation of known vulnerabilities. Additionally, applying web application firewall (WAF) rules to restrict unauthorized access to theme-specific endpoints may provide an additional layer of defense. Finally, organizations should prepare to apply official patches from Select-Themes promptly once available.