Impact
Spexo theme versions up to 2.0.11 fail to perform a capability check when activating plugins. Because of this omission, any authenticated user who holds a Subscriber role or higher can activate a restricted set of plugins that would normally require higher privileges. The vulnerability is classified as CWE-862, representing missing authorization, and can lead to the execution of additional code or features that the user should not normally have access to.
Affected Systems
The affected product is the Spexo WordPress theme. All releases from 2.0.6 through 2.0.11 are impacted. Sites that have installed these theme versions remain vulnerable until the theme is upgraded or the issue is otherwise mitigated.
Risk and Exploitability
The CVSS score of 4.3 places this issue in the moderate category, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with at least Subscriber privileges; the attacker can then activate a limited set of plugins, potentially expanding their capabilities on the site. Because the attack vector is authenticated and the plugin activation set is limited, the likelihood of widespread impact is lower, but the threat remains significant for affected installations.
OpenCVE Enrichment