PT-2026-60403 · WordPress · Catch Themes Demo Import
Prism
·
Published
2026-07-16
·
Updated
2026-07-16
·
CVE-2026-15336
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Catch Themes Demo Import versions prior to 3.4
Description
An authorization flaw exists where the
catch themes demo import activate plugin() function, triggered during admin init when the activate plugin GET parameter is present, executes Plugin Upgrader::install() to download and install a plugin from WordPress.org before verifying if the user has the activate plugins capability. This allows authenticated users with subscriber-level access or higher to install the hardcoded 'essential-content-types' plugin.Recommendations
Update to version 3.4 or later.
As a temporary mitigation, restrict access to the
activate plugin parameter in the admin init process.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Catch Themes Demo Import