Vulnerability Brief
CVE-2026-12471
What this means for your business
If a security vulnerability is left unpatched in your WordPress site, a malicious user with a basic level of access can potentially take control of certain plugins, which could allow them to make changes to your website's functionality or even gain higher levels of access. This could lead to data being compromised or your site being used for malicious activities, ultimately harming your business's reputation and potentially resulting in financial losses. It's essential to address this vulnerability by updating the affected plugin to the latest version.
- Severity: MEDIUM
- CVSS score: 4.3
Technical summary
The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set of plugins.