Description
The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set of plugins.
Published: 2026-06-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spexo theme versions up to 2.0.11 fail to perform a capability check when activating plugins. Because of this omission, any authenticated user who holds a Subscriber role or higher can activate a restricted set of plugins that would normally require higher privileges. The vulnerability is classified as CWE-862, representing missing authorization, and can lead to the execution of additional code or features that the user should not normally have access to.

Affected Systems

The affected product is the Spexo WordPress theme. All releases from 2.0.6 through 2.0.11 are impacted. Sites that have installed these theme versions remain vulnerable until the theme is upgraded or the issue is otherwise mitigated.

Risk and Exploitability

The CVSS score of 4.3 places this issue in the moderate category, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with at least Subscriber privileges; the attacker can then activate a limited set of plugins, potentially expanding their capabilities on the site. Because the attack vector is authenticated and the plugin activation set is limited, the likelihood of widespread impact is lower, but the threat remains significant for affected installations.

Generated by OpenCVE AI on June 27, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Spexo theme to a version that implements the authorization check for plugin activation.
  • If an updated version is unavailable, disable plugin activation for non-administrative roles by removing the 'activate_plugins' capability from the Subscriber role.
  • After remediation, review all activated plugins to ensure they are required and come from trusted sources.

Generated by OpenCVE AI on June 27, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Templatescoderthemes
Templatescoderthemes spexo
Wordpress
Wordpress wordpress
Vendors & Products Templatescoderthemes
Templatescoderthemes spexo
Wordpress
Wordpress wordpress

Mon, 29 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Description The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set of plugins.
Title Spexo <= 2.0.11 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Activation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Templatescoderthemes Spexo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-29T14:54:13.727Z

Reserved: 2026-06-16T19:58:43.286Z

Link: CVE-2026-12471

cve-icon Vulnrichment

Updated: 2026-06-29T14:48:23.354Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:05:52Z

Weaknesses