Platform
wordpress
Component
allegiant
Fixed in
1.2.3
1.0.5
2.4.2
1.2.8
1.0.5
2.0.5
1.1.9
2.4.9
1.3.2
1.0.3
1.1.1
1.2.8
1.4.1
2.1.5
1.2.5
2.0.6
CVE-2020-36708 describes a critical function injection vulnerability impacting several WordPress themes, including Shapely, NewsMag, and Allegiant. This flaw allows unauthenticated attackers to execute arbitrary code on vulnerable systems. The vulnerability affects versions up to 2.4.8, and a patch is available in version 2.4.9.
The impact of this vulnerability is severe. An attacker can leverage the epsilonframeworkajax_action to inject and execute arbitrary PHP code on the WordPress server. This can lead to complete compromise of the website, including data theft, defacement, malware installation, and potential access to the underlying server. The lack of authentication requirements means that any external user can trigger this vulnerability, significantly expanding the attack surface. This vulnerability shares similarities with other WordPress plugin and theme vulnerabilities where improper input validation allows for code execution.
This CVE was published on 2023-06-07. While no active exploitation campaigns have been publicly confirmed, the critical severity and ease of exploitation make it a high-priority target. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread attacks. It is not listed on the CISA KEV catalog as of this writing.
Exploit Status
EPSS
90.47% (100% percentile)
CVSS Vector
The primary mitigation is to immediately upgrade the affected WordPress themes to version 2.4.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the vulnerable themes. As a secondary measure, implement a Web Application Firewall (WAF) rule to block requests containing suspicious payloads targeting the epsilonframeworkajax_action. Regularly review WordPress plugin and theme updates to proactively address potential vulnerabilities.
Update the affected WordPress themes to the latest available version. This will resolve the function injection vulnerability and protect your website from remote code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-36708 is a critical vulnerability allowing unauthenticated attackers to execute code in several WordPress themes like Shapely and NewsMag due to improper handling of the epsilonframeworkajax_action.
You are affected if you are using Shapely, NewsMag, Allegiant, or other listed themes in versions up to 2.4.8. Check your theme versions and upgrade immediately.
Upgrade the affected WordPress themes to version 2.4.9 or later. If immediate upgrade is not possible, temporarily disable the vulnerable themes and implement WAF rules.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation make it a high-priority target for attackers.
Refer to the theme developers' websites or WordPress.org for official advisories and updates related to CVE-2020-36708.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.