Security feature bypass

2023-06-0702:15:00

PRIOn knowledge base

www.prio-n.com

wordpress

theme vulnerability

unauthenticated attack

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.6%

JSON

The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the ‘activello_activate_plugin’ and ‘activello_deactivate_plugin’ functions in the ‘inc/welcome-screen/class-activello-welcome.php’ file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site.

CPENameOperatorVersion
activellolt1.4.2
bonkerslt1.0.6
illdylt2.1.7
newspaper_xlt1.3.2
pixova_litelt2.0.7
shapelylt1.2.9
affluentlt1.1.2
allegiantlt1.2.6
brilliancelt1.3.0
transcendlt1.2.0

Name	Operator	Version
activello	lt	1.4.2
bonkers	lt	1.0.6
illdy	lt	2.1.7
newspaper_x	lt	1.3.2
pixova_lite	lt	2.0.7
shapely	lt	1.2.9
affluent	lt	1.1.2
allegiant	lt	1.2.6
brilliance	lt	1.3.0
transcend	lt	1.2.0

Rows per page:

1-10 of 151

References

blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/

wordpress.org/themes/activello/

wordpress.org/themes/brilliance/

wordpress.org/themes/newspaper-x/

www.wordfence.com/threat-intel/vulnerabilities/id/a9e4e989-8e55-4ea7-8f42-9f67cfab1168?source=cve