LiveActive security incident?Get immediate response
CVE Record

CVE-2020-36721: Epsilon Framework Themes (Various Versions) - Unauthenticated Plugin Activation/Deactivation

The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site.

MediumCVSS 6.5Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This WordPress theme flaw can let an unauthenticated visitor turn installed plugins on or off. That can disrupt site functions or weaken defenses if a security plugin is disabled. The sources rate it medium, with low integrity and availability impact.

Executive priority

Treat as a moderate-priority WordPress exposure. Prioritize public sites, ecommerce, lead-generation, and sites relying on plugins for security, forms, backups, or availability.

Technical view

Affected Epsilon Framework themes lack capability checks and nonces in activello_activate_plugin and activello_deactivate_plugin within inc/welcome-screen/class-activello-welcome.php. Network attackers need no account or user interaction to activate or deactivate arbitrary installed plugins.

Likely exposure

Exposure is limited to WordPress sites using Brilliance <= 1.2.7, Activello <= 1.4.0, or Newspaper X <= 1.3.1. Sites not using those themes are not indicated as affected by the supplied sources.

Exploitation context

The CVE is not listed in KEV, and the supplied sources do not state active exploitation. Practical impact depends on which plugins are installed and what security or business functions they control.

Researcher notes

Evidence identifies missing authorization and nonce checks enabling unauthenticated plugin state changes. The bundle does not provide exploit prevalence, exact fixed versions, or direct remediation details beyond the referenced theme/vendor ecosystem.

Mitigation direction

  • Upgrade or replace affected themes using vendor or WordPress.org guidance.
  • Remove unused plugins to reduce activation and deactivation impact.
  • Remove vulnerable themes if they cannot be updated safely.
  • Monitor WordPress admin activity for unexpected plugin state changes.

Validation and detection

  • Inventory WordPress sites for the three affected themes and versions.
  • Confirm whether vulnerable theme code is installed, even if not currently active.
  • Review plugin activation and deactivation history where logs are available.
  • Check Wordfence, Nintechnet, and WordPress.org theme pages for current guidance.
Prepared
Confidence
high
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-284: Authorization and privilege behavior lookup

Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2020-36721 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
6Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.5CVSS 3.1MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L3.92.5Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

6.5Medium
CVSS 3.1 vector shape for CVE-2020-36721Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
wpchillBrilliance0unaffected
silkalnsNewspaper X0unaffected
silkalnsActivello0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-284 · source CWE mapping

CWE mapping pending import

This CVE carries a CWE mapping that will resolve to a full Glexia CWE intelligence page after the official CWE import is complete.