PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-2518 wpxpo CVE debrief

CVE-2026-2518 is an authorization weakness in the FastX WordPress theme. Because the theme’s ultp_install_callback and ultp_activate_callback functions lack capability checks, authenticated users with Subscriber-level access and above can install and activate the PostX plugin. The issue affects FastX versions up to and including 1.0.2 and is rated Medium severity (CVSS 4.3).

Vendor
wpxpo
Product
FastX
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-22
Original CVE updated
2026-05-22
Advisory published
2026-05-22
Advisory updated
2026-05-22

Who should care

WordPress administrators and site owners running the FastX theme, especially sites that allow subscriber or other low-privilege authenticated accounts. Security teams should also review environments where plugin installation and activation are normally restricted to trusted admin roles.

Technical summary

The source corpus indicates missing capability checks in FastX’s ultp_install_callback and ultp_activate_callback handlers. The practical impact is unauthorized, limited plugin installation and activation by authenticated attackers with Subscriber-level privileges or higher. The cited references point to Initialization.php at lines 249 and 264, and the mapped weakness is CWE-862 (Missing Authorization).

Defensive priority

Medium. This is not a remote unauthenticated compromise, but it does let low-privilege authenticated users alter site functionality by installing and activating a plugin. Prioritize remediation on internet-facing WordPress sites or sites with many subscriber accounts.

Recommended defensive actions

  • Update the FastX theme to a fixed version once the vendor releases one; versions up to and including 1.0.2 are affected.
  • Restrict low-privilege account creation and review whether subscriber roles are necessary on the site.
  • Audit WordPress plugin installation and activation activity for unexpected changes.
  • Verify that only trusted administrative roles can manage plugins and related theme callbacks.
  • If immediate patching is not possible, consider temporarily reducing exposure by disabling unnecessary account registration and monitoring authenticated actions closely.

Evidence notes

The vulnerability description states that missing capability checks in ultp_install_callback and ultp_activate_callback permit authenticated attackers with Subscriber-level access and above to install and activate PostX. Supporting references include the FastX theme source at Initialization.php lines 249 and 264 and the Wordfence advisory linked from the NVD record. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. Published and modified timestamps were both 2026-05-22T05:16:24.660Z.

Official resources

CVE published by NVD on 2026-05-22; source record status was 'Received' at publication time. No KEV entry was supplied.