Plataforma
wordpress
Componente
accessally
Corrigido em
3.3.2
3.3.2
CVE-2020-36875 describes a critical Arbitrary Code Execution (RCE) vulnerability affecting AccessAlly, a WordPress plugin. This flaw allows unauthenticated attackers to execute malicious code on the server, potentially leading to complete system compromise. The vulnerability impacts versions of AccessAlly prior to 3.3.2, and a patch is available in version 3.3.2.
The impact of this vulnerability is severe. An attacker can leverage the login_error function to inject and execute arbitrary code on the WordPress server. This could lead to complete control of the website, including data theft, modification, or deletion. Attackers could also use the compromised server as a launchpad for further attacks against other systems on the network. Given the plugin's functionality (likely involving user data and potentially payment processing), the potential for data breaches and financial loss is significant.
CVE-2020-36875 was publicly disclosed on January 21, 2020. While no active exploitation campaigns have been definitively linked to this specific CVE, the ease of exploitation and the potential impact make it a high-priority target. Public proof-of-concept (PoC) code is likely available, increasing the risk of exploitation. This vulnerability has not been listed on CISA KEV as of the current date.
Websites using AccessAlly plugin versions prior to 3.3.2 are at risk. This includes sites with limited security expertise, those running older WordPress installations, and shared hosting environments where plugin updates may not be managed promptly. Sites that handle sensitive user data or financial transactions are particularly vulnerable.
• wordpress / composer / npm:
grep -r "login_error" /var/www/html/wp-content/plugins/accessally/• wordpress / composer / npm:
wp plugin list --status=inactive | grep accessally• generic web: Check WordPress plugin directory for outdated AccessAlly versions. • generic web: Review WordPress error logs for suspicious code execution attempts related to the login process.
disclosure
Status do Exploit
EPSS
0.14% (percentil 33%)
CISA SSVC
Vetor CVSS
The primary mitigation is to immediately upgrade AccessAlly to version 3.3.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the AccessAlly plugin. Web application firewalls (WAFs) configured to detect and block suspicious code injection attempts targeting the login_error function could provide a temporary layer of protection. Monitor WordPress error logs for any unusual activity or attempts to exploit the vulnerability.
Update to version 3.3.2, or a newer patched version
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2020-36875 is a critical Arbitrary Code Execution vulnerability in AccessAlly WordPress plugin versions before 3.3.2, allowing attackers to execute code on the server.
Yes, if you are using AccessAlly plugin versions prior to 3.3.2, you are vulnerable to this RCE exploit.
Upgrade AccessAlly to version 3.3.2 or later to resolve this vulnerability. If immediate upgrade is not possible, temporarily disable the plugin.
While no confirmed active campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a potential target.
Refer to the AccessAlly website and WordPress plugin repository for the official advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.