Primary

Context

Dreamer Blog WordPress Theme Missing Capability Check Vulnerability Allowing Arbitrary Plugin Installation

Vulnerability

A vulnerability exists in the Dreamer Blog WordPress theme, versions through 1.2, allowing arbitrary plugin installations. This issue arises from a missing capability check, which could be exploited by users with Subscriber roles or higher.

Impact

Exploitation of this vulnerability could lead to unauthorized installation of plugins, potentially allowing for malicious code execution or other harmful actions on the WordPress site.

Reproduction

To reproduce this vulnerability, send a POST request to 'wp-admin/admin-ajax.php' with the action 'install_act_plugin_custom'. Include a 'plugin' parameter with the name of the desired WordPress plugin, such as 'hello-dolly'. The request must be made with a valid 'wordpress_logged_in' cookie, indicating an authenticated user session.

Added: Jan 13, 2026, 6:18 AM

Updated: Jan 13, 2026, 2:20 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

2.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

2.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Dreamer Blog WordPress Theme Missing Capability Check Vulnerability Allowing Arbitrary Plugin Installation

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating