Skip to main content

Catch Themes Demo Import CVE-2026-15336

| EUVDEUVD-2026-44855 MEDIUM
Missing Authorization (CWE-862)
2026-07-16 Wordfence GHSA-pp39-pq9r-8cpp
4.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Subscriber-level authentication required (PR:L); only hardcoded plugin install is achievable (I:L); no confidentiality or availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 03:45 vuln.today
CVE Published
Jul 16, 2026 - 02:30 cve.org
MEDIUM 4.3

DescriptionNVD

The Catch Themes Demo Import plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 3.3. This is due to the catch_themes_demo_import_activate_plugin() function, hooked on admin_init when the activate_plugin GET parameter is present, calling Plugin_Upgrader::install() to download and install a plugin from WordPress.org before performing the current_user_can('activate_plugins') capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to install the hardcoded 'essential-content-types' plugin from the WordPress.

AnalysisAI

Missing authorization in the Catch Themes Demo Import WordPress plugin (versions up to and including 3.3) allows any subscriber-level authenticated user to force-install a hardcoded third-party plugin onto the target WordPress site. The vulnerability exists because catch_themes_demo_import_activate_plugin(), hooked on admin_init, invokes Plugin_Upgrader::install() to fetch and install 'essential-content-types' from WordPress.org before performing the current_user_can('activate_plugins') capability check - a classic authorization-check inversion. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as WordPress subscriber
Delivery
Send GET request with activate_plugin parameter to wp-admin
Exploit
admin_init hook fires catch_themes_demo_import_activate_plugin()
Execution
Plugin_Upgrader::install() fetches 'essential-content-types' from WordPress.org
Persist
Authorization check executes after install (no effect)
Impact
Unauthorized plugin installed on WordPress site

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress user account at subscriber level or above on the target site - unauthenticated exploitation is not possible (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid WordPress subscriber account on the target site crafts an authenticated GET request to the wp-admin area with the activate_plugin parameter present, triggering the admin_init hook and causing the server to reach out to WordPress.org and install the 'essential-content-types' plugin without any further authorization check. No public exploit code has been identified at time of analysis, but the vulnerability is straightforward to reproduce manually given access to any low-privilege WordPress account.
Remediation Update the Catch Themes Demo Import plugin to a version beyond 3.3, where the authorization check has been relocated to precede the Plugin_Upgrader::install() call, as indicated by the upstream changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3604098%40catch-themes-demo-import&new=3604098%40catch-themes-demo-import. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15336 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy