Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Subscriber-level authentication required (PR:L); only hardcoded plugin install is achievable (I:L); no confidentiality or availability impact applies.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
The Catch Themes Demo Import plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 3.3. This is due to the catch_themes_demo_import_activate_plugin() function, hooked on admin_init when the activate_plugin GET parameter is present, calling Plugin_Upgrader::install() to download and install a plugin from WordPress.org before performing the current_user_can('activate_plugins') capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to install the hardcoded 'essential-content-types' plugin from the WordPress.
AnalysisAI
Missing authorization in the Catch Themes Demo Import WordPress plugin (versions up to and including 3.3) allows any subscriber-level authenticated user to force-install a hardcoded third-party plugin onto the target WordPress site. The vulnerability exists because catch_themes_demo_import_activate_plugin(), hooked on admin_init, invokes Plugin_Upgrader::install() to fetch and install 'essential-content-types' from WordPress.org before performing the current_user_can('activate_plugins') capability check - a classic authorization-check inversion. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress user account at subscriber level or above on the target site - unauthenticated exploitation is not possible (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid WordPress subscriber account on the target site crafts an authenticated GET request to the wp-admin area with the activate_plugin parameter present, triggering the admin_init hook and causing the server to reach out to WordPress.org and install the 'essential-content-types' plugin without any further authorization check. No public exploit code has been identified at time of analysis, but the vulnerability is straightforward to reproduce manually given access to any low-privilege WordPress account. |
| Remediation | Update the Catch Themes Demo Import plugin to a version beyond 3.3, where the authorization check has been relocated to precede the Plugin_Upgrader::install() call, as indicated by the upstream changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3604098%40catch-themes-demo-import&new=3604098%40catch-themes-demo-import. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Catch Themes Demo Import
View allThe Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found
The Catch Themes Demo Import WordPress plugin before 2.1.1 does not validate one of the file to be imported, which could
Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, wh
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44855
GHSA-pp39-pq9r-8cpp