Platform
wordpress
Component
accessally
Fixed in
3.3.2
3.3.2
CVE-2020-36875 describes a critical Arbitrary Code Execution (RCE) vulnerability affecting AccessAlly, a WordPress plugin. This flaw allows unauthenticated attackers to execute malicious code on the server, potentially leading to complete system compromise. The vulnerability impacts versions of AccessAlly prior to 3.3.2, and a patch is available in version 3.3.2.
The impact of this vulnerability is severe. An attacker can leverage the login_error function to inject and execute arbitrary code on the WordPress server. This could lead to complete control of the website, including data theft, modification, or deletion. Attackers could also use the compromised server as a launchpad for further attacks against other systems on the network. Given the plugin's functionality (likely involving user data and potentially payment processing), the potential for data breaches and financial loss is significant.
CVE-2020-36875 was publicly disclosed on January 21, 2020. While no active exploitation campaigns have been definitively linked to this specific CVE, the ease of exploitation and the potential impact make it a high-priority target. Public proof-of-concept (PoC) code is likely available, increasing the risk of exploitation. This vulnerability has not been listed on CISA KEV as of the current date.
Exploit Status
EPSS
0.14% (33% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade AccessAlly to version 3.3.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the AccessAlly plugin. Web application firewalls (WAFs) configured to detect and block suspicious code injection attempts targeting the login_error function could provide a temporary layer of protection. Monitor WordPress error logs for any unusual activity or attempts to exploit the vulnerability.
Update to version 3.3.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-36875 is a critical Arbitrary Code Execution vulnerability in AccessAlly WordPress plugin versions before 3.3.2, allowing attackers to execute code on the server.
Yes, if you are using AccessAlly plugin versions prior to 3.3.2, you are vulnerable to this RCE exploit.
Upgrade AccessAlly to version 3.3.2 or later to resolve this vulnerability. If immediate upgrade is not possible, temporarily disable the plugin.
While no confirmed active campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a potential target.
Refer to the AccessAlly website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.