CVE Catalog

CVE-2026-12471

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

9th percentile — higher than 9% of all known CVEs

Summary

The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plugin function. This allows authenticated attackers with Subscriber-level access or above to activate a limited set of plugins.

Risk Assessment

The risk is that an attacker with low privileges can activate plugins, potentially leading to privilege escalation or execution of malicious code in the WordPress environment.

Recommendation

It is recommended to immediately update the Spexo theme to the latest available version that includes the security fix. Also verify that no unauthorized plugins have been activated.

Original NVD description (English source)

The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set of plugins.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS