Security readout for executives and security teams
Plain-English summary
This WordPress theme flaw can let an unauthenticated visitor turn installed plugins on or off. That can disrupt site functions or weaken defenses if a security plugin is disabled. The sources rate it medium, with low integrity and availability impact.
Executive priority
Treat as a moderate-priority WordPress exposure. Prioritize public sites, ecommerce, lead-generation, and sites relying on plugins for security, forms, backups, or availability.
Technical view
Affected Epsilon Framework themes lack capability checks and nonces in activello_activate_plugin and activello_deactivate_plugin within inc/welcome-screen/class-activello-welcome.php. Network attackers need no account or user interaction to activate or deactivate arbitrary installed plugins.
Likely exposure
Exposure is limited to WordPress sites using Brilliance <= 1.2.7, Activello <= 1.4.0, or Newspaper X <= 1.3.1. Sites not using those themes are not indicated as affected by the supplied sources.
Exploitation context
The CVE is not listed in KEV, and the supplied sources do not state active exploitation. Practical impact depends on which plugins are installed and what security or business functions they control.
Researcher notes
Evidence identifies missing authorization and nonce checks enabling unauthenticated plugin state changes. The bundle does not provide exploit prevalence, exact fixed versions, or direct remediation details beyond the referenced theme/vendor ecosystem.
Mitigation direction
- Upgrade or replace affected themes using vendor or WordPress.org guidance.
- Remove unused plugins to reduce activation and deactivation impact.
- Remove vulnerable themes if they cannot be updated safely.
- Monitor WordPress admin activity for unexpected plugin state changes.
Validation and detection
- Inventory WordPress sites for the three affected themes and versions.
- Confirm whether vulnerable theme code is installed, even if not currently active.
- Review plugin activation and deactivation history where logs are available.
- Check Wordfence, Nintechnet, and WordPress.org theme pages for current guidance.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-284: Authorization and privilege behavior lookup
Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2020-36721 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 6.5 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L3.92.5Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
6.5MediumVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Source materials
- CVE List V5 sourceCVE List V5
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a9e4e989-8e55-4ea7-8f42-9f67cfab1168?source=cveCVE reference
- https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/CVE reference
- https://wordpress.org/themes/activello/CVE reference
- https://wordpress.org/themes/newspaper-x/CVE reference
- https://wordpress.org/themes/brilliance/CVE reference
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE mapping pending import
This CVE carries a CWE mapping that will resolve to a full Glexia CWE intelligence page after the official CWE import is complete.
