Themes Vulnerabilities

Holmes <= 1.7 - Authenticated (Subscriber+) Insecure Direct Object Reference

Description

The Holmes - Digital Agency WordPress Theme theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.7 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Themes

holmes
No known fix

References

CVE
CVE-2026-22400
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9915758a-47f0-4fa7-8885-311b2f75a7b6

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Tran Nguyen Bao Khanh
Verified
No
WPVDB ID
ea03fa67-195f-4865-a782-4ec524b4576b

Timeline

Publicly Published
2026-01-01 (about 3 months ago)
Added
2026-01-14 (about 2 months ago)
Last Updated
2026-01-14 (about 2 months ago)

Other

Published
Title
Published
2024-08-16
Title
Propovoice CRM <= 1.7.8 - Unauthenticated Insecure Direct Object Reference
Published
2022-08-04
Title
Sensei LMS < 4.5.2 - Arbitrary Private Message Sending via IDOR
Published
2025-11-24
Title
Frontend File Manager Plugin < 23.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary File Renaming
Published
2024-03-29
Title
Whizzy <= 1.1.18 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2024-12-13
Title
Get Post Content Shortcode <= 0.4 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via post_content Shortcode