Resoto <= 1.0.8 is vulnerable to Broken Access Control to Arbitrary Plugin Activation

The Resoto theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_plugin' function in versions up to, and including, 1.0.8. This makes it possible for authenticated attackers with subscriber-level access, and above, to use an ajax endpoint to activate an arbitrary plugin and hide the notice.