CVE-2020-36721 — MEDIUM (6.5)

Q: How severe is CVE-2020-36721?

CVE-2020-36721 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-36721?

Check the references section above for vendor advisories and patch information. Affected products include: Colorlib Activello, Colorlib Bonkers, Colorlib Illdy, Colorlib Newspaper X, Colorlib Pixova Lite.

Vulnerability Description

The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Colorlib	Activello	< 1.4.2
Colorlib	Bonkers	< 1.0.6
Colorlib	Illdy	< 2.1.7
Colorlib	Newspaper X	< 1.3.2
Colorlib	Pixova Lite	< 2.0.7
Colorlib	Shapely	< 1.2.9
Cpothemes	Affluent	< 1.1.2
Cpothemes	Allegiant	< 1.2.6
Cpothemes	Brilliance	< 1.3.0
Cpothemes	Transcend	< 1.2.0
Machothemes	Antreas	< 1.0.7
Machothemes	Medzone Lite	< 1.2.6
Machothemes	Naturemag Lite	<= 1.0.4
Machothemes	Newsmag	< 2.4.2
Machothemes	Regina Lite	< 2.0.6

Related Weaknesses (CWE)

CWE-284 CWE-862

References

https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixExploitThird Party Advisory
https://wordpress.org/themes/activello/Product
https://wordpress.org/themes/brilliance/Product
https://wordpress.org/themes/newspaper-x/Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/a9e4e989-8e55-4ea7-8f4Third Party Advisory
https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixExploitThird Party Advisory
https://wordpress.org/themes/activello/Product
https://wordpress.org/themes/brilliance/Product
https://wordpress.org/themes/newspaper-x/Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/a9e4e989-8e55-4ea7-8f4Third Party Advisory

FAQ

What is CVE-2020-36721?

CVE-2020-36721 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activel...

How severe is CVE-2020-36721?

CVE-2020-36721 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-36721?

Check the references section above for vendor advisories and patch information. Affected products include: Colorlib Activello, Colorlib Bonkers, Colorlib Illdy, Colorlib Newspaper X, Colorlib Pixova Lite.