CVE-2026-2518

Vulnerability

The FastX theme for WordPress, in all versions up to and including 1.0.2, contains missing capability checks on the ultp_install_callback and ultp_activate_callback functions. This vulnerability allows authenticated attackers with Subscriber-level access and above to install and activate the PostX plugin, a privilege not normally granted to low-level users [1]. The code path is reachable via direct calls to these callback functions without verifying proper user permissions.

Exploitation

An authenticated attacker with at least Subscriber-level access can exploit this vulnerability by directly invoking either the ultp_install_callback or ultp_activate_callback functions. No additional privileges or user interaction beyond authentication are required. The attacker simply needs to be logged into the WordPress site and send a crafted request to the vulnerable endpoint.

Impact

Successful exploitation enables an attacker to install and activate the PostX plugin without authorization. This limited plugin installation capability could lead to further exploitation if the installed plugin has its own vulnerabilities, potentially resulting in information disclosure, site compromise, or privilege escalation.

Mitigation

The theme developer has not released a patched version as of the publication date of this CVE. Users should update the FastX theme to a version newer than 1.0.2 once available. As a workaround, site administrators can restrict user registration to trusted users only and monitor for unauthorized plugin installations. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.