CVE-2020-36708

Summary

The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4. This is due to epsilon_framework_ajax_action. This makes it possible for unauthenticated attackers to call functions and achieve remote code execution.

Affected Software

VendorProductVersion RangeStatus
machothemesAntreas0 <= 1.0.2affected
machothemesNatureMag Lite0 <= 1.0.4affected
silkalnsBonkers0 <= 1.0.4affected
wpchillAffluent0 <= 1.1.0affected
wpchillTranscend0 <= 1.1.8affected
wpchillAllegiant0 <= 1.2.2affected
machothemesMedZone Lite0 <= 1.2.4affected
silkalnsShapely0 <= 1.2.7affected
wpchillBrilliance0 <= 1.2.7affected
silkalnsNewspaper X0 <= 1.3.1affected
silkalnsActivello0 <= 1.4.0affected
machothemesRegina Lite0 <= 2.0.4affected
silkalnsPixova Lite0 <= 2.0.5affected
silkalnsIlldy0 <= 2.1.4affected
machothemesNewsMag0 <= 2.4.1affected
silkalnsSparkling0 <= 2.4.8affected

Weaknesses

  • CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References