CVE-2020-36721

The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:colorlib:activello:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:colorlib:bonkers:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:colorlib:illdy:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:colorlib:newspaper_x:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:colorlib:pixova_lite:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:colorlib:shapely:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:cpothemes:affluent:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:cpothemes:allegiant:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:cpothemes:brilliance:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:cpothemes:transcend:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:machothemes:antreas:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:machothemes:medzone_lite:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:machothemes:naturemag_lite:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:machothemes:newsmag:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:machothemes:regina_lite:*:*:*:*:*:wordpress:*:*

History

16 Jun 2023, 15:17

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
References (MISC) https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/ - (MISC) https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/ - Exploit, Third Party Advisory
References (MISC) https://wordpress.org/themes/brilliance/ - (MISC) https://wordpress.org/themes/brilliance/ - Product
References (MISC) https://wordpress.org/themes/newspaper-x/ - (MISC) https://wordpress.org/themes/newspaper-x/ - Product
References (MISC) https://wordpress.org/themes/activello/ - (MISC) https://wordpress.org/themes/activello/ - Product
References (MISC) https://www.wordfence.com/threat-intel/vulnerabilities/id/a9e4e989-8e55-4ea7-8f42-9f67cfab1168?source=cve - (MISC) https://www.wordfence.com/threat-intel/vulnerabilities/id/a9e4e989-8e55-4ea7-8f42-9f67cfab1168?source=cve - Third Party Advisory
CPE cpe:2.3:a:cpothemes:allegiant:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:machothemes:regina_lite:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:machothemes:antreas:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:machothemes:naturemag_lite:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:colorlib:pixova_lite:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:machothemes:newsmag:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:colorlib:illdy:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:cpothemes:affluent:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:colorlib:activello:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:cpothemes:brilliance:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:colorlib:shapely:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:colorlib:newspaper_x:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:colorlib:bonkers:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:cpothemes:transcend:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:machothemes:medzone_lite:*:*:*:*:*:wordpress:*:*
First Time Cpothemes brilliance
Colorlib pixova Lite
Colorlib bonkers
Colorlib activello
Colorlib shapely
Cpothemes allegiant
Cpothemes transcend
Colorlib illdy
Machothemes newsmag
Colorlib
Cpothemes
Machothemes
Machothemes antreas
Cpothemes affluent
Machothemes medzone Lite
Colorlib newspaper X
Machothemes regina Lite
Machothemes naturemag Lite
CWE CWE-862

07 Jun 2023, 02:45

Type Values Removed Values Added
New CVE

Information

Published : 2023-06-07 02:15

Updated : 2024-02-28 20:13


NVD link : CVE-2020-36721

Mitre link : CVE-2020-36721

CVE.ORG link : CVE-2020-36721


JSON object : View

Products Affected

colorlib

  • pixova_lite
  • illdy
  • newspaper_x
  • activello
  • bonkers
  • shapely

cpothemes

  • transcend
  • affluent
  • brilliance
  • allegiant

machothemes

  • antreas
  • medzone_lite
  • newsmag
  • regina_lite
  • naturemag_lite
CWE
CWE-862

Missing Authorization