CVE-2020-36721

MEDIUM

WordPress Themes - Plugin Activation/Deactivation

Title source: llm
STIX 2.1

Description

The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site.

Scores

CVSS v3 6.5
EPSS 0.0098
EPSS Percentile 57.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-284 CWE-862
Status published
Products (18)
colorlib/activello < 1.4.2
colorlib/bonkers < 1.0.6
colorlib/illdy < 2.1.7
colorlib/newspaper_x < 1.3.2
colorlib/pixova_lite < 2.0.7
colorlib/shapely < 1.2.9
cpothemes/affluent < 1.1.2
cpothemes/allegiant < 1.2.6
cpothemes/brilliance < 1.3.0
cpothemes/transcend < 1.2.0
... and 8 more
Published Jun 07, 2023
Tracked Since Feb 18, 2026