CVE-2020-36721
published 2023-06-07CVE-2020-36721: The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the…
PriorityP336medium6.5CVSS 3.1
AVNACLPRNUINSUCNILAL
EPSS
0.98%
57.8th percentile
The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| colorlib | activello | < 1.4.2 | 1.4.2 |
| colorlib | bonkers | < 1.0.6 | 1.0.6 |
| colorlib | illdy | < 2.1.7 | 2.1.7 |
| colorlib | newspaper_x | < 1.3.2 | 1.3.2 |
| colorlib | pixova_lite | < 2.0.7 | 2.0.7 |
| colorlib | shapely | < 1.2.9 | 1.2.9 |
| cpothemes | affluent | < 1.1.2 | 1.1.2 |
| cpothemes | allegiant | < 1.2.6 | 1.2.6 |
| cpothemes | brilliance | < 1.3.0 | 1.3.0 |
| cpothemes | transcend | < 1.2.0 | 1.2.0 |
| machothemes | antreas | < 1.0.7 | 1.0.7 |
| machothemes | medzone_lite | < 1.2.6 | 1.2.6 |
| machothemes | naturemag_lite | <= 1.0.4 | — |
| machothemes | newsmag | < 2.4.2 | 2.4.2 |
| machothemes | regina_lite | < 2.0.6 | 2.0.6 |
| silkalns | activello | <= 1.4.0 | — |
| silkalns | newspaper_x | <= 1.3.1 | — |
| wpchill | brilliance | <= 1.2.7 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/https://wordpress.org/themes/activello/https://wordpress.org/themes/brilliance/https://wordpress.org/themes/newspaper-x/https://www.wordfence.com/threat-intel/vulnerabilities/id/a9e4e989-8e55-4ea7-8f42-9f67cfab1168?source=cvehttps://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/https://wordpress.org/themes/activello/https://wordpress.org/themes/brilliance/https://wordpress.org/themes/newspaper-x/https://www.wordfence.com/threat-intel/vulnerabilities/id/a9e4e989-8e55-4ea7-8f42-9f67cfab1168?source=cve
2023-06-07
Published