Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Shopire Theme for WordPress Can Install Malicious Plugins Without Permission
CVE-2025-13091
Summary
If you're using the Shopire theme for WordPress, an attacker with a basic account can install plugins without your permission. This could lead to your site being compromised or used for malicious activities. Update to version 1.0.58 or later to fix this issue.
Original title
The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire_admin_install_plugin() function in all versions up to, and includ...
Original description
The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire_admin_install_plugin() function in all versions up to, and including, 1.0.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the 'fable-extra' plugin.
nvd CVSS3.1
4.3
Vulnerability type
CWE-15
- https://themes.svn.wordpress.org/shopire/1.0.50/inc/admin/assets/js/shopire-admi...
- https://themes.svn.wordpress.org/shopire/1.0.50/inc/admin/getting-started.php
- https://themes.trac.wordpress.org/browser/shopire/1.0.50/inc/admin/assets/js/sho...
- https://themes.trac.wordpress.org/browser/shopire/1.0.50/inc/admin/getting-start...
- https://themes.trac.wordpress.org/changeset/304732/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/873b54ba-d29f-4e09-9dc...
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026