CVE-2020-36721

MEDIUM EPSS 57.8%
Published Jun 7, 20233y ago · Modified Jun 17, 20262w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Jun 7, 2023 3y ago
Last Modified Jun 17, 2026 2w ago

Description

The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site.

CVSS Details

Base Score
6.5
Exploitability
3.9
Impact
2.5
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Low
Availability Low

Threat Intelligence

EPSS Exploit Probability
57.8% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 2

CWE-284
CWE-862 Missing Authorization Authorization

Affected Products 15

VendorProductVersionRange
colorlibactivello* <1.4.2
colorlibbonkers* <1.0.6
colorlibilldy* <2.1.7
colorlibnewspaper_x* <1.3.2
colorlibpixova_lite* <2.0.7
colorlibshapely* <1.2.9
cpothemesaffluent* <1.1.2
cpothemesallegiant* <1.2.6
cpothemesbrilliance* <1.3.0
cpothemestranscend* <1.2.0
machothemesantreas* <1.0.7
machothemesmedzone_lite* <1.2.6
machothemesnaturemag_lite* ≤1.0.4
machothemesnewsmag* <2.4.2
machothemesregina_lite* <2.0.6

References 5

  • blog.nintechnet.com https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/
    ExploitThird Party Advisory
  • wordpress.org https://wordpress.org/themes/activello/
    Product
  • wordpress.org https://wordpress.org/themes/brilliance/
    Product
  • wordpress.org https://wordpress.org/themes/newspaper-x/
    Product
  • wordfence.com https://www.wordfence.com/threat-intel/vulnerabilities/id/a9e4e989-8e55-4ea7-8f42-9f67cfab1168?source=cve
    Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.