cbcvebase.
CVE-2020-36708
published 2023-06-07

CVE-2020-36708: The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <=…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
65.34%
99.2th percentile
The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4. This is due to epsilon_framework_ajax_action. This makes it possible for unauthenticated attackers to call functions and achieve remote code execution.

Affected

31 ranges· showing 25
VendorProductVersion rangeFixed in
colorlibactivello< 1.4.21.4.2
colorlibbonkers< 1.0.61.0.6
colorlibilldy< 2.1.72.1.7
colorlibnewspaper_x< 1.3.21.3.2
colorlibpixova_lite< 2.0.72.0.7
colorlibshapely< 1.2.91.2.9
colorlibsparklinkg<= 2.4.8
cpothemesaffluent< 1.1.21.1.2
cpothemesallegiant< 1.2.61.2.6
cpothemesbrilliance< 1.3.01.3.0
cpothemestranscend< 1.2.01.2.0
machothemesantreas< 1.0.71.0.7
machothemesantreas<= 1.0.2
machothemesmedzone_lite< 1.2.61.2.6
machothemesmedzone_lite<= 1.2.4
machothemesnaturemag_lite<= 1.0.4
machothemesnewsmag< 2.4.22.4.2
machothemesnewsmag<= 2.4.1
machothemesregina_lite< 2.0.62.0.6
machothemesregina_lite<= 2.0.4
silkalnsactivello<= 1.4.0
silkalnsbonkers<= 1.0.4
silkalnsilldy<= 2.1.4
silkalnsnewspaper_x<= 1.3.1
silkalnspixova_lite<= 2.0.5

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=action_name
commandaction=epsilon_framework_ajax_action&args%5Baction%5D%5B%5D=Requests&args%5Baction%5D%5B%5D=request_multiple&args%5Bargs%5D%5B0%5D%5Burl%5D=https://oast.me/
path/wp-admin/admin-ajax.php
  • Detect exploit attempts by monitoring POST requests to /wp-admin/admin-ajax.php containing the parameter 'epsilon_framework_ajax_action' in the body, particularly with args[action][]=Requests and args[action][]=request_multiple.
  • The exploit requires no authentication — flag unauthenticated POST requests to admin-ajax.php with the epsilon_framework_ajax_action parameter as high-priority alerts.
  • The vulnerability is triggered via the WordPress AJAX handler 'epsilon_framework_ajax_action', which allows unauthenticated callers to invoke arbitrary PHP functions including Requests::request_multiple, enabling SSRF and RCE.
  • Content-Type header 'application/x-www-form-urlencoded; charset=UTF-8' is used in the exploit POST request — combine with the admin-ajax.php path and body parameters for a high-fidelity detection signature.
  • Successful exploitation may result in outbound HTTP requests from the WordPress server (SSRF); monitor for unexpected outbound connections originating from the web server process following admin-ajax.php POST requests.
  • ·The Nuclei template targets a broad set of 16 vulnerable WordPress themes (Epsilon Framework); detection should not be scoped to a single theme but to the shared AJAX action handler present across all affected themes.
  • ·The exploit is listed in CISA KEV (kev: true), indicating active in-the-wild exploitation; prioritize detection and patching accordingly.
  • ·EPSS score is 0.90049 at the 99.58th percentile, indicating extremely high likelihood of exploitation in the wild; treat any matching traffic as critical.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.