FastX Theme Vulnerability (CVE-2026-2518)

Security Alert Summary

The FastX theme contains missing capability checks in functions that handle limited plugin installation and activation. Authenticated users with Subscriber-level access and above can trigger the theme’s ultp_install_callback and ultp_activate_callback functions to install and activate the PostX plugin. This behavior affects all versions up to and including 1.0.2.

CVE Details

• CVE ID: CVE-2026-2518
• Affected component: FastX theme for WordPress
• Affected versions: All versions up to and including 1.0.2
• Published: May 22, 2026 at 5:16:24 AM UTC
• Last modified: May 22, 2026 at 5:16:24 AM UTC
• CVSS v3.1: Base score 4.3, MEDIUM — Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
• Authentication / Privileges / User interaction: Authenticated attacker required (Subscriber-level access or higher). Privileges required: LOW. User interaction: NONE.
• Primary impact: Confidentiality: NONE; Integrity: LOW; Availability: NONE
• Weakness (CWE): CWE-862 (Missing Authorization)

Technical Details

The FastX theme implements callback functions named ultp_install_callback and ultp_activate_callback that perform limited plugin installation and activation. These functions lack proper capability or authorization checks, which allows authenticated users with Subscriber-level permissions and above to invoke them and cause the theme to install and activate the PostX plugin.

The root cause is missing authorization verification in the named callback functions. Because the theme does not verify that the invoking user has the required capabilities to install or activate plugins, a low-privileged authenticated user can trigger those operations through the theme’s code paths.

Impact is limited by the actions the installed or activated plugin can perform. In this case the direct vulnerability enables installation and activation of PostX; any further risk depends on PostX’s behavior and site configuration. The CVSS assessment reflects a limited integrity impact and no direct confidentiality or availability impact.

How This Could Impact Your Website

Consider a small site with an administrator (site owner), several internal staff members with editor or author roles, and an external contractor or contributor assigned Subscriber-level access. If a Subscriber-level account is compromised or controlled by a malicious actor, that account could be used to invoke the theme callbacks and install or activate the PostX plugin without administrator approval. That change could alter site content or behavior, add new UI elements, or introduce features that an attacker could misuse.

While the CVSS assessment indicates no direct confidentiality impact from the vulnerability itself, installing or activating plugins can increase the risk of secondary issues. For example, newly installed plugins might expose additional functionality that reveals user lists or contact details, or they could be misused to facilitate targeted phishing or social-engineering attacks against staff or customers.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

• Update the FastX theme to a patched version as soon as one is available.
• Review and reduce unnecessary user roles and capabilities, especially Subscriber and Contributor accounts.
• Enforce strong passwords and two-factor authentication for editors and administrators.
• Remove unused or unmaintained themes and plugins from the site.
• Monitor site activity and audit logs for unusual plugin installations or activation events.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://themes.trac.wordpress.org/browser/fastx/1.0.2/classes/Initialization.php#L249
• https://themes.trac.wordpress.org/browser/fastx/1.0.2/classes/Initialization.php#L264
• https://www.wordfence.com/threat-intel/vulnerabilities/id/6f5c4194-4f97-4f85-af90-e983ba9ce3a6?source=cve