Description
The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire_admin_install_plugin() function in all versions up to, and including, 1.0.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the 'fable-extra' plugin.
Published: 2026-02-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized plugin installation by authenticated users
Action: Patch
AI Analysis

Impact

The Shopire WordPress theme contains a missing capability check in the shopire_admin_install_plugin() function. This flaw allows any authenticated user with Subscriber-level access or higher to install the fable-extra plugin, potentially leading to the execution of malicious code and compromising the site's confidentiality, integrity, or availability. The issue is categorized as CWE-15 – External Control of Input.

Affected Systems

All installations of the Shopire theme for WordPress with versions up to and including 1.0.57 are affected. The flaw exists in the admin interface where plugin installation is handled, impacting any site running a vulnerable version of this theme.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in CISA's KEV catalog. Attackers would need to log in with at least Subscriber privileges and then access the plugin installation function via the theme's administrative interface to exploit the flaw.

Generated by OpenCVE AI on April 21, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Shopire theme to the latest version that includes the missing capability check (if available).
  • Use a role editor plugin or custom code to remove the plugin‑installation capability from Subscriber and lower roles, restricting it to administrators only.
  • Delete any fable‑extra or other malicious plugins that may have been installed using this vulnerability.
  • Perform a security audit of the WordPress site to locate and remove any additional unauthorized files or plugins, and verify that the environment is clean.

Generated by OpenCVE AI on April 21, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpfable
Wpfable shopire
Vendors & Products Wordpress
Wordpress wordpress
Wpfable
Wpfable shopire

Thu, 19 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire_admin_install_plugin() function in all versions up to, and including, 1.0.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the 'fable-extra' plugin.
Title Shopire <= 1.0.57 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install
Weaknesses CWE-15
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpfable Shopire
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:03.782Z

Reserved: 2025-11-12T20:33:20.581Z

Link: CVE-2025-13091

cve-icon Vulnrichment

Updated: 2026-02-19T21:10:04.856Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T07:17:30.153

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13091

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:00:13Z

Weaknesses