PatchSiren cyber security CVE debrief
CVE-2026-15336 catchplugins CVE debrief
The Catch Themes Demo Import plugin for WordPress has a missing authorization vulnerability in versions up to and including 3.3. This is due to the catch_themes_demo_import_activate_plugin() function, hooked on admin_init when the activate_plugin GET parameter is present, calling Plugin_Upgrader::install() to download and install a plugin from WordPress.org before performing the current_user_can('activate_plugins') capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to install the hardcoded 'essential-content-types' plugin from WordPress.
- Vendor
- catchplugins
- Product
- Catch Themes Demo Import
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Authenticated attackers with subscriber-level access and above can exploit this vulnerability to install the hardcoded 'essential-content-types' plugin from WordPress. This could potentially allow them to execute arbitrary code or take control of the affected system.
Technical summary
The vulnerability exists in the catch_themes_demo_import_activate_plugin() function, which is hooked on admin_init when the activate_plugin GET parameter is present. The function calls Plugin_Upgrader::install() to download and install a plugin from WordPress.org before performing the current_user_can('activate_plugins') capability check. This allows authenticated attackers with subscriber-level access and above to install the hardcoded 'essential-content-types' plugin from WordPress.
Defensive priority
Medium
Recommended defensive actions
- Verify and limit the 'activate_plugin' GET parameter usage.
- Restrict plugin installation to authorized users.
- Monitor for unauthorized plugin installations.
- Implement additional logging and monitoring for admin_init hooks.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The vulnerability was reported by [email protected]. The CVE record was published on 2026-07-16T04:17:22.073Z and has not been modified since then. The Catch Themes Demo Import plugin for WordPress has a missing authorization vulnerability in versions up to and including 3.3. This vulnerability allows authenticated attackers with subscriber-level access and above to install the hardcoded 'essential-content-types' plugin from WordPress. The vulnerability exists due to the catch_themes_demo_import_activate_plugin() function, which is hooked on admin_init when the activate_plugin GET parameter is present, calling Plugin_Upgrader::install() to download and install a plugin from WordPress.org before performing the current_user_can('activate_plugins') capability check.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T04:17:22.073Z and has not been modified since then.