CVE-2024-13423

Name of the Vulnerable Software and Affected Versions Sparkling theme for WordPress versions up to, and including, 2.4.9

Description The issue allows unauthorized plugin activation and deactivation due to a missing capability check on the sparkling activate plugin and sparkling deactivate plugin functions. This enables unauthenticated attackers to activate or deactivate arbitrary plugins.

Recommendations For versions up to, and including, 2.4.9, update to a version that includes a fix for this issue to prevent unauthorized plugin activation and deactivation. As a temporary workaround, consider restricting access to the sparkling activate plugin and sparkling deactivate plugin functions until a patch is available.