Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-15336

CVE-2026-15336: WordPress Catch Themes Auth Bypass Flaw

CVE-2026-15336 is an authorization bypass vulnerability in the Catch Themes Demo Import plugin for WordPress that allows subscribers to install plugins. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-15336 Overview

CVE-2026-15336 is a missing authorization vulnerability [CWE-862] affecting the Catch Themes Demo Import plugin for WordPress in versions up to and including 3.3. The flaw resides in the catch_themes_demo_import_activate_plugin() function, which is hooked to admin_init and executes when the activate_plugin GET parameter is present. The function calls Plugin_Upgrader::install() to download and install a plugin from WordPress.org before the current_user_can('activate_plugins') capability check runs. Authenticated attackers with subscriber-level access or higher can trigger installation of the hardcoded essential-content-types plugin from the WordPress.org repository.

Critical Impact

Low-privileged authenticated users can force installation of an attacker-designated plugin, expanding the attack surface of an affected WordPress site.

Affected Products

  • Catch Themes Demo Import plugin for WordPress
  • Versions up to and including 3.3
  • WordPress sites permitting subscriber-level registration

Discovery Timeline

  • 2026-07-16 - CVE-2026-15336 published to NVD
  • 2026-07-16 - Last updated in NVD database

Technical Details for CVE-2026-15336

Vulnerability Analysis

The Catch Themes Demo Import plugin registers catch_themes_demo_import_activate_plugin() on the admin_init action. Because admin_init fires for any authenticated user accessing /wp-admin/, subscriber-level accounts can reach the function. When the request contains the activate_plugin GET parameter, the function immediately invokes Plugin_Upgrader::install() against the hardcoded essential-content-types plugin slug.

The capability check for activate_plugins occurs after the installation call, rather than before it. This ordering error means the privileged installation operation completes regardless of the caller's role. The Exploit Prediction Scoring System places CVE-2026-15336 in the lower probability range, but subscriber-enabled sites remain directly exposed.

Root Cause

The root cause is an out-of-order authorization check. Developer-facing code inside demo-importer.php (lines 135, 136, 233, and 235 in tags 3.2 and 3.3) executes the sensitive Plugin_Upgrader::install() call before evaluating current_user_can('activate_plugins'). Any code path that assumes a user must be authorized to reach a function is invalid when the authorization gate sits below the sensitive action.

Attack Vector

The attack requires an authenticated session at subscriber level or higher and network access to the WordPress admin interface. An attacker registers or uses an existing low-privileged account, then issues a GET request to a WordPress admin endpoint that carries the activate_plugin parameter. The plugin installer proceeds without verifying the account's capabilities, and the essential-content-types plugin is fetched from WordPress.org and installed on the site.

No verified proof-of-concept code is publicly available. Refer to the Wordfence Vulnerability Report and the WordPress Demo Importer Code for technical details of the vulnerable code path.

Detection Methods for CVE-2026-15336

Indicators of Compromise

  • Unexpected presence of the essential-content-types plugin directory under wp-content/plugins/ on sites that did not intentionally install it.
  • Web server access log entries containing the activate_plugin GET parameter originating from low-privileged authenticated sessions.
  • New plugin files with modification timestamps that correlate with subscriber-level login events.

Detection Strategies

  • Monitor WordPress wp-admin request logs for the activate_plugin query parameter paired with non-administrator session cookies.
  • Audit the active_plugins and plugins options in the wp_options table for entries not authorized through change control.
  • Alert on Plugin_Upgrader::install() invocations recorded by WordPress debug logging outside of administrator workflows.

Monitoring Recommendations

  • Enable file integrity monitoring on the wp-content/plugins/ directory to detect unauthorized additions.
  • Track new user registrations and correlate them with subsequent admin-area requests within short time windows.
  • Forward WordPress and web server logs to a centralized SIEM to identify anomalous plugin installation activity across sites.

How to Mitigate CVE-2026-15336

Immediate Actions Required

  • Update the Catch Themes Demo Import plugin to a version above 3.3 once the vendor releases a fix, per the WordPress Changeset Overview.
  • Disable open user registration or restrict the default new-user role to eliminate subscriber-level footholds.
  • Review installed plugins and remove essential-content-types if it was installed without authorization.

Patch Information

The vulnerable code paths are identified in inc/demo-importer.php at lines 135, 136, 233, and 235 across tags 3.2 and 3.3. Site administrators should upgrade to the fixed release published by Catch Themes and confirm that the current_user_can('activate_plugins') check executes before any call to Plugin_Upgrader::install(). Consult the Wordfence Vulnerability Report for the latest patched version guidance.

Workarounds

  • Deactivate the Catch Themes Demo Import plugin until a patched version is installed.
  • Restrict access to /wp-admin/ using web application firewall rules that block requests containing the activate_plugin parameter for non-administrator sessions.
  • Set the WordPress default_role option to a value that cannot be leveraged to reach admin_init, and audit existing subscriber accounts.
bash
# Configuration example: disable open registration and enforce a safe default role
wp option update users_can_register 0
wp option update default_role subscriber
wp plugin deactivate catch-themes-demo-import

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.