Medium severity6.5NVD Advisory· Published Jun 7, 2023· Updated Apr 8, 2026

CVE-2020-36721

Description

The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site.

Affected products

Colorlib/Activello
cpe:2.3:a:colorlib:activello:*:*:*:*:*:wordpress:*:*
Range: <1.4.2
Colorlib/Bonkers
cpe:2.3:a:colorlib:bonkers:*:*:*:*:*:wordpress:*:*
Range: <1.0.6
Colorlib/Illdy
cpe:2.3:a:colorlib:illdy:*:*:*:*:*:wordpress:*:*
Range: <2.1.7
Colorlib/Newspaper X
cpe:2.3:a:colorlib:newspaper_x:*:*:*:*:*:wordpress:*:*
Range: <1.3.2
Colorlib/Pixova Lite
cpe:2.3:a:colorlib:pixova_lite:*:*:*:*:*:wordpress:*:*
Range: <2.0.7
Colorlib/Shapely
cpe:2.3:a:colorlib:shapely:*:*:*:*:*:wordpress:*:*
Range: <1.2.9
Cpothemes/Affluent
cpe:2.3:a:cpothemes:affluent:*:*:*:*:*:wordpress:*:*
Range: <1.1.2
Cpothemes/Allegiant
cpe:2.3:a:cpothemes:allegiant:*:*:*:*:*:wordpress:*:*
Range: <1.2.6
Cpothemes/Brilliance
cpe:2.3:a:cpothemes:brilliance:*:*:*:*:*:wordpress:*:*
Range: <1.3.0
Cpothemes/Transcend
cpe:2.3:a:cpothemes:transcend:*:*:*:*:*:wordpress:*:*
Range: <1.2.0
Machothemes/Antreas
cpe:2.3:a:machothemes:antreas:*:*:*:*:*:wordpress:*:*
Range: <1.0.7
Machothemes/Medzone Lite
cpe:2.3:a:machothemes:medzone_lite:*:*:*:*:*:wordpress:*:*
Range: <1.2.6
Machothemes/Naturemag Lite
cpe:2.3:a:machothemes:naturemag_lite:*:*:*:*:*:wordpress:*:*
Range: <=1.0.4
Machothemes/Newsmag
cpe:2.3:a:machothemes:newsmag:*:*:*:*:*:wordpress:*:*
Range: <2.4.2
Machothemes/Regina Lite
cpe:2.3:a:machothemes:regina_lite:*:*:*:*:*:wordpress:*:*
Range: <2.0.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/nvdExploitThird Party Advisory
www.wordfence.com/threat-intel/vulnerabilities/id/a9e4e989-8e55-4ea7-8f42-9f67cfab1168nvdThird Party Advisory
wordpress.org/themes/activello/nvdProduct
wordpress.org/themes/brilliance/nvdProduct
wordpress.org/themes/newspaper-x/nvdProduct

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000