Platform
wordpress
Component
allegiant
Opgelost in
1.2.3
1.0.5
2.4.2
1.2.8
1.0.5
2.0.5
1.1.9
2.4.9
1.3.2
1.0.3
1.1.1
1.2.8
1.4.1
2.1.5
1.2.5
2.0.6
CVE-2020-36708 describes a critical function injection vulnerability impacting several WordPress themes, including Shapely, NewsMag, and Allegiant. This flaw allows unauthenticated attackers to execute arbitrary code on vulnerable systems. The vulnerability affects versions up to 2.4.8, and a patch is available in version 2.4.9.
The impact of this vulnerability is severe. An attacker can leverage the epsilonframeworkajax_action to inject and execute arbitrary PHP code on the WordPress server. This can lead to complete compromise of the website, including data theft, defacement, malware installation, and potential access to the underlying server. The lack of authentication requirements means that any external user can trigger this vulnerability, significantly expanding the attack surface. This vulnerability shares similarities with other WordPress plugin and theme vulnerabilities where improper input validation allows for code execution.
This CVE was published on 2023-06-07. While no active exploitation campaigns have been publicly confirmed, the critical severity and ease of exploitation make it a high-priority target. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread attacks. It is not listed on the CISA KEV catalog as of this writing.
Websites using WordPress with the affected themes (Shapely, NewsMag, Allegiant, etc.) are at risk, particularly those with outdated installations or lacking robust security practices. Shared hosting environments are especially vulnerable as they often host multiple WordPress instances, increasing the potential attack surface.
• wordpress / composer / npm:
grep -r 'epsilon_framework_ajax_action' /var/www/html/wp-content/themes/
wp plugin list --all | grep shapely
wp plugin list --all | grep newsmag• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=epsilon_framework_ajax_actiondiscovery
disclosure
patch
Exploit Status
EPSS
90.47% (100% percentiel)
CVSS-vector
The primary mitigation is to immediately upgrade the affected WordPress themes to version 2.4.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the vulnerable themes. As a secondary measure, implement a Web Application Firewall (WAF) rule to block requests containing suspicious payloads targeting the epsilonframeworkajax_action. Regularly review WordPress plugin and theme updates to proactively address potential vulnerabilities.
Werk de getroffen WordPress thema's bij naar de laatste beschikbare versie. Dit zal de Function Injection kwetsbaarheid oplossen en uw website beschermen tegen remote code execution.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2020-36708 is a critical vulnerability allowing unauthenticated attackers to execute code in several WordPress themes like Shapely and NewsMag due to improper handling of the epsilonframeworkajax_action.
You are affected if you are using Shapely, NewsMag, Allegiant, or other listed themes in versions up to 2.4.8. Check your theme versions and upgrade immediately.
Upgrade the affected WordPress themes to version 2.4.9 or later. If immediate upgrade is not possible, temporarily disable the vulnerable themes and implement WAF rules.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation make it a high-priority target for attackers.
Refer to the theme developers' websites or WordPress.org for official advisories and updates related to CVE-2020-36708.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.