CVE-2020-36721

moderate-risk

Published 2023-06-07

The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site.

Do I need to act?

0.18% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (15)

Activello

Bonkers

Illdy

Newspaper X

Pixova Lite

Shapely

Affluent

Allegiant

Brilliance

Transcend

Antreas

Medzone Lite

Naturemag Lite

Newsmag

Regina Lite

Affected Vendors

Colorlib Machothemes Cpothemes

References (10)

Exploit https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fix...

Product https://wordpress.org/themes/activello/

Product https://wordpress.org/themes/brilliance/

Product https://wordpress.org/themes/newspaper-x/

Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/a9e4e989-8e55-4ea7-8f4...

Exploit https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fix...

Product https://wordpress.org/themes/activello/

Product https://wordpress.org/themes/brilliance/

Product https://wordpress.org/themes/newspaper-x/

Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/a9e4e989-8e55-4ea7-8f4...

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 1/34 · Minimal

Exposure 18/34 · Moderate