CVE-2020-36721

Exploit

EPSS 0.98%
Veröffentlicht 07.06.2023 02:15:12
Zuletzt bearbeitet 08.04.2026 19:17:34
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Epsilon Framework Themes (Various Versions) - Unauthenticated Plugin Activation/Deactivation

The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site.

Mögliche Gegenmaßnahme

Activello: Update to version 1.4.2, or a newer patched version

Brilliance: Update to version 1.3.0, or a newer patched version

Newspaper X: Update to version 1.3.2, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 9

NVD 15 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Colorlib ≫ Activello SwPlatformwordpress Version < 1.4.2

Colorlib ≫ Bonkers SwPlatformwordpress Version < 1.0.6

Colorlib ≫ Illdy SwPlatformwordpress Version < 2.1.7

Colorlib ≫ Newspaper X SwPlatformwordpress Version < 1.3.2

Colorlib ≫ Pixova Lite SwPlatformwordpress Version < 2.0.7

Colorlib ≫ Shapely SwPlatformwordpress Version < 1.2.9

Cpothemes ≫ Affluent SwPlatformwordpress Version < 1.1.2

Cpothemes ≫ Allegiant SwPlatformwordpress Version < 1.2.6

Cpothemes ≫ Brilliance SwPlatformwordpress Version < 1.3.0

Cpothemes ≫ Transcend SwPlatformwordpress Version < 1.2.0

Machothemes ≫ Antreas SwPlatformwordpress Version < 1.0.7

Machothemes ≫ Medzone Lite SwPlatformwordpress Version < 1.2.6

Machothemes ≫ Naturemag Lite SwPlatformwordpress Version <= 1.0.4

Machothemes ≫ Newsmag SwPlatformwordpress Version < 2.4.2

Machothemes ≫ Regina Lite SwPlatformwordpress Version < 2.0.6

Weitere Schwachstelleninformationen

SystemWordPress Theme

≫

Produkt Activello

Version *-1.4.0

SystemWordPress Theme

≫

Produkt Brilliance

Version *-1.2.7

SystemWordPress Theme

≫

Produkt Newspaper X

Version *-1.3.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.98%	0.576

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
security@wordfence.com	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/

Third Party Advisory

Exploit

https://wordpress.org/themes/activello/

Product

https://wordpress.org/themes/brilliance/

Product

https://wordpress.org/themes/newspaper-x/

Product

https://www.wordfence.com/threat-intel/vulnerabilities/id/a9e4e989-8e55-4ea7-8f42-9f67cfab1168?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/a9e4e989-8e55-4ea7-8f42-9f67cfab1168

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-36721

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-36721

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-36721

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2020-36721