平台
wordpress
组件
allegiant
修复版本
1.2.3
1.0.5
2.4.2
1.2.8
1.0.5
2.0.5
1.1.9
2.4.9
1.3.2
1.0.3
1.1.1
1.2.8
1.4.1
2.1.5
1.2.5
2.0.6
CVE-2020-36708 describes a critical function injection vulnerability impacting several WordPress themes, including Shapely, NewsMag, and Allegiant. This flaw allows unauthenticated attackers to execute arbitrary code on vulnerable systems. The vulnerability affects versions up to 2.4.8, and a patch is available in version 2.4.9.
The impact of this vulnerability is severe. An attacker can leverage the epsilonframeworkajax_action to inject and execute arbitrary PHP code on the WordPress server. This can lead to complete compromise of the website, including data theft, defacement, malware installation, and potential access to the underlying server. The lack of authentication requirements means that any external user can trigger this vulnerability, significantly expanding the attack surface. This vulnerability shares similarities with other WordPress plugin and theme vulnerabilities where improper input validation allows for code execution.
This CVE was published on 2023-06-07. While no active exploitation campaigns have been publicly confirmed, the critical severity and ease of exploitation make it a high-priority target. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread attacks. It is not listed on the CISA KEV catalog as of this writing.
Websites using WordPress with the affected themes (Shapely, NewsMag, Allegiant, etc.) are at risk, particularly those with outdated installations or lacking robust security practices. Shared hosting environments are especially vulnerable as they often host multiple WordPress instances, increasing the potential attack surface.
• wordpress / composer / npm:
grep -r 'epsilon_framework_ajax_action' /var/www/html/wp-content/themes/
wp plugin list --all | grep shapely
wp plugin list --all | grep newsmag• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=epsilon_framework_ajax_actiondiscovery
disclosure
patch
漏洞利用状态
EPSS
90.47% (100% 百分位)
CVSS 向量
The primary mitigation is to immediately upgrade the affected WordPress themes to version 2.4.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the vulnerable themes. As a secondary measure, implement a Web Application Firewall (WAF) rule to block requests containing suspicious payloads targeting the epsilonframeworkajax_action. Regularly review WordPress plugin and theme updates to proactively address potential vulnerabilities.
将受影响的 WordPress 主题更新到最新可用版本。这将修复函数注入漏洞并保护您的网站免受远程代码执行。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2020-36708 is a critical vulnerability allowing unauthenticated attackers to execute code in several WordPress themes like Shapely and NewsMag due to improper handling of the epsilonframeworkajax_action.
You are affected if you are using Shapely, NewsMag, Allegiant, or other listed themes in versions up to 2.4.8. Check your theme versions and upgrade immediately.
Upgrade the affected WordPress themes to version 2.4.9 or later. If immediate upgrade is not possible, temporarily disable the vulnerable themes and implement WAF rules.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation make it a high-priority target for attackers.
Refer to the theme developers' websites or WordPress.org for official advisories and updates related to CVE-2020-36708.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。