Missing Authorization Vulnerability in Catch Themes Demo Import Plugin by WordPress
CVE-2026-15336
4.3MEDIUM
What is CVE-2026-15336?
The Catch Themes Demo Import plugin for WordPress has a vulnerability that allows authenticated attackers, including those with subscriber-level access, to install plugins without proper authorization. The issue arises from the catch_themes_demo_import_activate_plugin() function executing before a capability check is performed, leading to potential exploitation where attackers can download and activate the 'essential-content-types' plugin directly from WordPress.org.
Affected Version(s)
Catch Themes Demo Import 0 <= 3.3