PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15336 catchplugins CVE debrief

The Catch Themes Demo Import plugin for WordPress has a missing authorization vulnerability in versions up to and including 3.3. This is due to the catch_themes_demo_import_activate_plugin() function, hooked on admin_init when the activate_plugin GET parameter is present, calling Plugin_Upgrader::install() to download and install a plugin from WordPress.org before performing the current_user_can('activate_plugins') capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to install the hardcoded 'essential-content-types' plugin from WordPress.

Vendor
catchplugins
Product
Catch Themes Demo Import
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Authenticated attackers with subscriber-level access and above can exploit this vulnerability to install the hardcoded 'essential-content-types' plugin from WordPress. This could potentially allow them to execute arbitrary code or take control of the affected system.

Technical summary

The vulnerability exists in the catch_themes_demo_import_activate_plugin() function, which is hooked on admin_init when the activate_plugin GET parameter is present. The function calls Plugin_Upgrader::install() to download and install a plugin from WordPress.org before performing the current_user_can('activate_plugins') capability check. This allows authenticated attackers with subscriber-level access and above to install the hardcoded 'essential-content-types' plugin from WordPress.

Defensive priority

Medium

Recommended defensive actions

  • Verify and limit the 'activate_plugin' GET parameter usage.
  • Restrict plugin installation to authorized users.
  • Monitor for unauthorized plugin installations.
  • Implement additional logging and monitoring for admin_init hooks.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The vulnerability was reported by [email protected]. The CVE record was published on 2026-07-16T04:17:22.073Z and has not been modified since then. The Catch Themes Demo Import plugin for WordPress has a missing authorization vulnerability in versions up to and including 3.3. This vulnerability allows authenticated attackers with subscriber-level access and above to install the hardcoded 'essential-content-types' plugin from WordPress. The vulnerability exists due to the catch_themes_demo_import_activate_plugin() function, which is hooked on admin_init when the activate_plugin GET parameter is present, calling Plugin_Upgrader::install() to download and install a plugin from WordPress.org before performing the current_user_can('activate_plugins') capability check.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T04:17:22.073Z and has not been modified since then.