cbcvebase.
CVE-2020-36666
published 2023-03-27

CVE-2020-36666: The directory-pro WordPress plugin before 1.9.5, final-user-wp-frontend-user-profiles WordPress plugin before 1.2.2, producer-retailer WordPress plugin through…

PriorityP346high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.91%
55.3th percentile
The directory-pro WordPress plugin before 1.9.5, final-user-wp-frontend-user-profiles WordPress plugin before 1.2.2, producer-retailer WordPress plugin through TODO, photographer-directory WordPress plugin before 1.0.9, real-estate-pro WordPress plugin before 1.7.1, institutions-directory WordPress plugin before 1.3.1, lawyer-directory WordPress plugin before 1.2.9, doctor-listing WordPress plugin before 1.3.6, Hotel Listing WordPress plugin before 1.3.7, fitness-trainer WordPress plugin before 1.4.1, wp-membership WordPress plugin before 1.5.7, sold by the same developer (e-plugins), do not implementing any security measures in some AJAX calls. For example in the file plugin.php, the function iv_directories_update_profile_setting() uses update_user_meta with any data provided by the ajax call, which can be used to give the logged in user admin capabilities. Since the plugins allow user registration via a custom form (even if the blog does not allow users to register) it makes any site using it vulnerable.

Affected

10 ranges
VendorProductVersion rangeFixed in
e-pluginsdirectory_pro< 1.9.51.9.5
e-pluginsfinal_user< 1.2.21.2.2
e-pluginsfitness_trainer< 1.4.11.4.1
e-pluginshospital_doctor_directory< 1.3.61.3.6
e-pluginshotel_directory< 1.3.71.3.7
e-pluginsinstitutions_directory< 1.3.11.3.1
e-pluginslawyer_directory< 1.2.91.2.9
e-pluginsphotographer-directory< 1.0.91.0.9
e-pluginsreal_estate_pro< 1.7.11.7.1
e-pluginswp_membership< 1.5.71.5.7
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.