CVE-2026-15336
Received Received - Intake

Missing Authorization in Catch Themes Demo Import Plugin

Vulnerability report for CVE-2026-15336, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: Wordfence

Description

The Catch Themes Demo Import plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 3.3. This is due to the catch_themes_demo_import_activate_plugin() function, hooked on admin_init when the activate_plugin GET parameter is present, calling Plugin_Upgrader::install() to download and install a plugin from WordPress.org before performing the current_user_can('activate_plugins') capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to install the hardcoded 'essential-content-types' plugin from the WordPress.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
catch_themes demo_import to 3.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Catch Themes Demo Import plugin for WordPress has a vulnerability due to missing authorization checks. The function catch_themes_demo_import_activate_plugin() allows downloading and installing a plugin from WordPress.org without verifying if the user has permission to activate plugins. This flaw enables authenticated attackers with subscriber-level access or higher to install the 'essential-content-types' plugin.

Impact Analysis

An attacker could exploit this to install unwanted plugins on your WordPress site. This may lead to unauthorized changes, additional vulnerabilities, or malicious code execution. Sites with subscriber-level users or higher are at risk of plugin installation without proper oversight.

Compliance Impact

This vulnerability could lead to unauthorized plugin installations, potentially violating compliance requirements for data protection and security. Unauthorized plugins may introduce data leaks or malware, risking GDPR or HIPAA violations due to compromised site integrity.

Detection Guidance

Check WordPress installations for the Catch Themes Demo Import plugin versions up to 3.3. Look for unauthorized plugin installations, particularly the 'essential-content-types' plugin. Review admin logs for suspicious activation attempts via the activate_plugin parameter.

Mitigation Strategies

Update the Catch Themes Demo Import plugin to the latest version. Remove the 'essential-content-types' plugin if installed without authorization. Restrict subscriber-level access to prevent unauthorized plugin installations. Monitor for unusual plugin activity.

Executive Summary

The Catch Themes Demo Import plugin for WordPress has a vulnerability in versions up to 3.3. It allows authenticated users with subscriber-level access or higher to install a specific plugin called 'essential-content-types' from WordPress.org without proper authorization checks. This happens because the plugin fails to verify user permissions before installing another plugin.

Impact Analysis

An attacker could exploit this to install unwanted plugins on your WordPress site. This could lead to unauthorized changes, additional vulnerabilities, or malicious code being added to your site without your knowledge.

Compliance Impact

This vulnerability could lead to unauthorized plugin installations, potentially violating compliance requirements for data protection and security. Unauthorized plugins may introduce data leaks or malware, which could result in non-compliance with GDPR, HIPAA, or other regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15336. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart