Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network-exploitable with low authentication (Subscriber account); integrity-only impact limited to unauthorized plugin activation; no confidentiality or availability consequence.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set of plugins.
AnalysisAI
Unauthorized plugin activation in the Spexo WordPress theme (all versions through 2.0.11) is possible due to a missing capability check on the theme's activate_plugin function, exposing sites to integrity compromise by low-privileged authenticated users. Attackers holding Subscriber-level accounts or higher can trigger plugin activation outside of WordPress's native authorization controls, bypassing the intended administrator-only restriction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at minimum Subscriber-level role on a site running Spexo theme version 2.0.11 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 score of 4.3 (Medium) is consistent with the technical impact: network-accessible (AV:N), low complexity (AC:L), low privilege required (PR:L), no user interaction needed (UI:N), and limited integrity-only impact (I:L) with no confidentiality or availability consequence (C:N, A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free Subscriber-level account on a WordPress site with open registration enabled and the Spexo theme active. The attacker sends a crafted authenticated HTTP request targeting the activate_plugin function in the theme's welcome notice handler, bypassing the missing capability check and activating one of the theme's bundled or suggested plugins without administrator approval. … |
| Remediation | Update the Spexo theme beyond version 2.0.11 once a patched release is published to the WordPress theme directory; a fix changeset has been committed to the theme repository (https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=334799%40spexo&new=334799%40spexo), but a specific released version number for the fixed build is not independently confirmed from available data - verify the current version in the WordPress theme directory before updating. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39954
GHSA-q2p3-v4q2-729h