Description
The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site.
References (5)
Core 5
Core References
Exploit, Third Party Advisory
https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/
Scores
CVSS v3
6.5
EPSS
0.0098
EPSS Percentile
57.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-284
CWE-862
Status
published
Products (18)
colorlib/activello
< 1.4.2
colorlib/bonkers
< 1.0.6
colorlib/illdy
< 2.1.7
colorlib/newspaper_x
< 1.3.2
colorlib/pixova_lite
< 2.0.7
colorlib/shapely
< 1.2.9
cpothemes/affluent
< 1.1.2
cpothemes/allegiant
< 1.2.6
cpothemes/brilliance
< 1.3.0
cpothemes/transcend
< 1.2.0
... and 8 more
Published
Jun 07, 2023
Tracked Since
Feb 18, 2026