cbcvebase.
CVE-2020-36721
published 2023-06-07

CVE-2020-36721: The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the…

PriorityP336medium6.5CVSS 3.1
AVNACLPRNUINSUCNILAL
EPSS
0.98%
57.8th percentile
The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site.

Affected

18 ranges
VendorProductVersion rangeFixed in
colorlibactivello< 1.4.21.4.2
colorlibbonkers< 1.0.61.0.6
colorlibilldy< 2.1.72.1.7
colorlibnewspaper_x< 1.3.21.3.2
colorlibpixova_lite< 2.0.72.0.7
colorlibshapely< 1.2.91.2.9
cpothemesaffluent< 1.1.21.1.2
cpothemesallegiant< 1.2.61.2.6
cpothemesbrilliance< 1.3.01.3.0
cpothemestranscend< 1.2.01.2.0
machothemesantreas< 1.0.71.0.7
machothemesmedzone_lite< 1.2.61.2.6
machothemesnaturemag_lite<= 1.0.4
machothemesnewsmag< 2.4.22.4.2
machothemesregina_lite< 2.0.62.0.6
silkalnsactivello<= 1.4.0
silkalnsnewspaper_x<= 1.3.1
wpchillbrilliance<= 1.2.7
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.