CVE-2020-36721

Published: Jun 7, 2023Modified: Apr 8, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Exploitability: 3.9 / Impact: 2.5

Source: NVD

Description

The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site.

Affected (15)

Products: Colorlib: Activello, Bonkers, Illdy, Newspaper X, Pixova Lite, Shapely · Cpothemes: Affluent, Allegiant, Brilliance, Transcend · Machothemes: Antreas, Medzone Lite, Naturemag Lite, Newsmag, Regina Lite

6 products

4 products

5 products

Configuration A

15 vulnerable

Vulnerable Software	Affected Versions
Colorlib Activello	Before 1.4.2
Colorlib Bonkers	Before 1.0.6
Colorlib Illdy	Before 2.1.7
Colorlib Newspaper X	Before 1.3.2
Colorlib Pixova Lite	Before 2.0.7
Colorlib Shapely	Before 1.2.9
Cpothemes Affluent	Before 1.1.2
Cpothemes Allegiant	Before 1.2.6
Cpothemes Brilliance	Before 1.3.0
Cpothemes Transcend	Before 1.2.0
Machothemes Antreas	Before 1.0.7
Machothemes Medzone Lite	Before 1.2.6
Machothemes Naturemag Lite	Up to 1.0.4
Machothemes Newsmag	Before 2.4.2
Machothemes Regina Lite	Before 2.0.6