PT-2026-60403 · WordPress · Catch Themes Demo Import

Prism

·

Published

2026-07-16

·

Updated

2026-07-16

·

CVE-2026-15336

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Catch Themes Demo Import versions prior to 3.4
Description An authorization flaw exists where the catch themes demo import activate plugin() function, triggered during admin init when the activate plugin GET parameter is present, executes Plugin Upgrader::install() to download and install a plugin from WordPress.org before verifying if the user has the activate plugins capability. This allows authenticated users with subscriber-level access or higher to install the hardcoded 'essential-content-types' plugin.
Recommendations Update to version 3.4 or later. As a temporary mitigation, restrict access to the activate plugin parameter in the admin init process.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-15336

Affected Products

Catch Themes Demo Import