Plateforme
wordpress
Composant
allegiant
Corrigé dans
1.2.3
1.0.5
2.4.2
1.2.8
1.0.5
2.0.5
1.1.9
2.4.9
1.3.2
1.0.3
1.1.1
1.2.8
1.4.1
2.1.5
1.2.5
2.0.6
CVE-2020-36708 describes a critical function injection vulnerability impacting several WordPress themes, including Shapely, NewsMag, and Allegiant. This flaw allows unauthenticated attackers to execute arbitrary code on vulnerable systems. The vulnerability affects versions up to 2.4.8, and a patch is available in version 2.4.9.
The impact of this vulnerability is severe. An attacker can leverage the epsilonframeworkajax_action to inject and execute arbitrary PHP code on the WordPress server. This can lead to complete compromise of the website, including data theft, defacement, malware installation, and potential access to the underlying server. The lack of authentication requirements means that any external user can trigger this vulnerability, significantly expanding the attack surface. This vulnerability shares similarities with other WordPress plugin and theme vulnerabilities where improper input validation allows for code execution.
This CVE was published on 2023-06-07. While no active exploitation campaigns have been publicly confirmed, the critical severity and ease of exploitation make it a high-priority target. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread attacks. It is not listed on the CISA KEV catalog as of this writing.
Websites using WordPress with the affected themes (Shapely, NewsMag, Allegiant, etc.) are at risk, particularly those with outdated installations or lacking robust security practices. Shared hosting environments are especially vulnerable as they often host multiple WordPress instances, increasing the potential attack surface.
• wordpress / composer / npm:
grep -r 'epsilon_framework_ajax_action' /var/www/html/wp-content/themes/
wp plugin list --all | grep shapely
wp plugin list --all | grep newsmag• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=epsilon_framework_ajax_actiondiscovery
disclosure
patch
Statut de l'Exploit
EPSS
90.47% (percentile 100%)
Vecteur CVSS
The primary mitigation is to immediately upgrade the affected WordPress themes to version 2.4.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the vulnerable themes. As a secondary measure, implement a Web Application Firewall (WAF) rule to block requests containing suspicious payloads targeting the epsilonframeworkajax_action. Regularly review WordPress plugin and theme updates to proactively address potential vulnerabilities.
Mettez à jour les thèmes WordPress affectés vers la dernière version disponible. Cela corrigera la vulnérabilité d'injection de fonctions et protégera votre site web contre l'exécution de code à distance.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2020-36708 is a critical vulnerability allowing unauthenticated attackers to execute code in several WordPress themes like Shapely and NewsMag due to improper handling of the epsilonframeworkajax_action.
You are affected if you are using Shapely, NewsMag, Allegiant, or other listed themes in versions up to 2.4.8. Check your theme versions and upgrade immediately.
Upgrade the affected WordPress themes to version 2.4.9 or later. If immediate upgrade is not possible, temporarily disable the vulnerable themes and implement WAF rules.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation make it a high-priority target for attackers.
Refer to the theme developers' websites or WordPress.org for official advisories and updates related to CVE-2020-36708.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.