CVE-2026-2518
Received Received - Intake
Unauthorized Plugin Installation in FastX WordPress Theme

Publication date: 2026-05-22

Last updated on: 2026-05-22

Assigner: Wordfence

Description
The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultp_install_callback' and 'ultp_activate_callback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the PostX plugin.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-22
Last Modified
2026-05-22
Generated
2026-06-11
AI Q&A
2026-05-23
EPSS Evaluated
2026-06-10
NVD
CVE-2026-2518
EUVD
EUVD-2026-31412
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fastx theme to 1.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability allows authenticated users with Subscriber-level access and above to install and activate the PostX plugin due to missing capability checks in the FastX theme versions up to 1.0.2.

Immediate mitigation steps include updating the FastX theme to a version later than 1.0.2 where this issue is fixed.

If an update is not immediately possible, restrict user roles to prevent Subscriber-level users from accessing plugin installation and activation functionalities.

Executive Summary

The FastX theme for WordPress has a vulnerability due to missing capability checks in the functions 'ultp_install_callback' and 'ultp_activate_callback' in all versions up to and including 1.0.2.

This flaw allows authenticated users with Subscriber-level access or higher to install and activate the PostX plugin without proper authorization.

Impact Analysis

An attacker with Subscriber-level access can exploit this vulnerability to install and activate plugins, such as the PostX plugin, on the WordPress site.

This unauthorized plugin installation can lead to potential security risks including unauthorized changes to the website, introduction of malicious code, or further exploitation depending on the installed plugin's capabilities.

Detection Guidance

This vulnerability involves unauthorized limited plugin installation and activation in the FastX WordPress theme due to missing capability checks. Detection would focus on identifying unauthorized installation or activation of the PostX plugin by users with Subscriber-level access or higher.

To detect exploitation attempts or presence of the vulnerability, you can check your WordPress installation for unexpected activation or installation of the PostX plugin, especially by users who should not have such permissions.

  • Use WP-CLI commands to list installed and active plugins: `wp plugin list`
  • Check user roles and capabilities to verify if Subscriber-level users have performed plugin installations or activations.
  • Review WordPress logs or audit logs for calls to 'ultp_install_callback' and 'ultp_activate_callback' functions or plugin installation events triggered by Subscriber-level users.
  • Monitor HTTP requests to your WordPress site for POST requests targeting plugin installation or activation endpoints that could be linked to the FastX theme callbacks.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2518. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart