Skip to main content

Spexo Theme CVE-2026-12471

| EUVDEUVD-2026-39954 MEDIUM
Missing Authorization (CWE-862)
2026-06-27 Wordfence GHSA-q2p3-v4q2-729h
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-exploitable with low authentication (Subscriber account); integrity-only impact limited to unauthorized plugin activation; no confidentiality or availability consequence.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 27, 2026 - 07:51 vuln.today
CVE Published
Jun 27, 2026 - 06:50 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set of plugins.

AnalysisAI

Unauthorized plugin activation in the Spexo WordPress theme (all versions through 2.0.11) is possible due to a missing capability check on the theme's activate_plugin function, exposing sites to integrity compromise by low-privileged authenticated users. Attackers holding Subscriber-level accounts or higher can trigger plugin activation outside of WordPress's native authorization controls, bypassing the intended administrator-only restriction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or compromise Subscriber-level WordPress account
Delivery
Send authenticated request to theme's activate_plugin function
Exploit
Bypass missing capability check
Execution
Activate limited set of theme-associated plugins without authorization
Impact
Expand attack surface via newly activated plugin

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with at minimum Subscriber-level role on a site running Spexo theme version 2.0.11 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 score of 4.3 (Medium) is consistent with the technical impact: network-accessible (AV:N), low complexity (AC:L), low privilege required (PR:L), no user interaction needed (UI:N), and limited integrity-only impact (I:L) with no confidentiality or availability consequence (C:N, A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free Subscriber-level account on a WordPress site with open registration enabled and the Spexo theme active. The attacker sends a crafted authenticated HTTP request targeting the activate_plugin function in the theme's welcome notice handler, bypassing the missing capability check and activating one of the theme's bundled or suggested plugins without administrator approval. …
Remediation Update the Spexo theme beyond version 2.0.11 once a patched release is published to the WordPress theme directory; a fix changeset has been committed to the theme repository (https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=334799%40spexo&new=334799%40spexo), but a specific released version number for the fixed build is not independently confirmed from available data - verify the current version in the WordPress theme directory before updating. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12471 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy