Catch Themes Demo Import <= 3.3 - Missing Authorization to Authenticated (Subscriber+) Single Plugin Installation via 'activate_plugin' Parameter
The Catch Themes Demo Import plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 3.3. This is due to the catch_themes_demo_import_activate_plugin() function, hooked on admin_init when the activate_plugin GET parameter is present, calling Plugin_Upgrader::install() to download and install a plugin from WordPress.org before performing the current_user_can('activate_plugins') capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to install the hardcoded 'essential-content-types' plugin from the WordPress.
Quick answer
Catch Themes Demo Import should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- *-3.3
Fixed versions
- 3.4
How to fix it
CVE-2026-15336 is a authorization bypass issue in Catch Themes Demo Import. Update from *-3.3 to 3.4 or newer. Keep the fix simple: upgrade first, then test the normal user flow.
- Find every place where Catch Themes Demo Import is installed or used.
- Upgrade Catch Themes Demo Import to 3.4 or a newer fixed release from the vendor.
- If you cannot upgrade right away, limit access to the affected feature until the update is done.
- Restart or redeploy the service if the product needs it after the update.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm the installed version is 3.4 or newer.
- Run a normal login, admin, and user flow to make sure the site still works.
- Check logs for new errors after the update.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-15336?
Catch Themes Demo Import versions listed as affected should be reviewed: *-3.3.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
How are Fixnx security risk categories chosen?
Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.
