Skip to main content

Spexo

1 CVEs product

Monthly

CVE-2026-12471 MEDIUM This Month

Unauthorized plugin activation in the Spexo WordPress theme (all versions through 2.0.11) is possible due to a missing capability check on the theme's activate_plugin function, exposing sites to integrity compromise by low-privileged authenticated users. Attackers holding Subscriber-level accounts or higher can trigger plugin activation outside of WordPress's native authorization controls, bypassing the intended administrator-only restriction. No public exploit code or active exploitation has been identified at time of analysis, and no EPSS data was provided.

Authentication Bypass WordPress Spexo
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized plugin activation in the Spexo WordPress theme (all versions through 2.0.11) is possible due to a missing capability check on the theme's activate_plugin function, exposing sites to integrity compromise by low-privileged authenticated users. Attackers holding Subscriber-level accounts or higher can trigger plugin activation outside of WordPress's native authorization controls, bypassing the intended administrator-only restriction. No public exploit code or active exploitation has been identified at time of analysis, and no EPSS data was provided.

Authentication Bypass WordPress Spexo
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy