CVE-2020-36708
published 2023-06-07CVE-2020-36708: The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <=…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
65.34%
99.2th percentile
The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4. This is due to epsilon_framework_ajax_action. This makes it possible for unauthenticated attackers to call functions and achieve remote code execution.
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| colorlib | activello | < 1.4.2 | 1.4.2 |
| colorlib | bonkers | < 1.0.6 | 1.0.6 |
| colorlib | illdy | < 2.1.7 | 2.1.7 |
| colorlib | newspaper_x | < 1.3.2 | 1.3.2 |
| colorlib | pixova_lite | < 2.0.7 | 2.0.7 |
| colorlib | shapely | < 1.2.9 | 1.2.9 |
| colorlib | sparklinkg | <= 2.4.8 | — |
| cpothemes | affluent | < 1.1.2 | 1.1.2 |
| cpothemes | allegiant | < 1.2.6 | 1.2.6 |
| cpothemes | brilliance | < 1.3.0 | 1.3.0 |
| cpothemes | transcend | < 1.2.0 | 1.2.0 |
| machothemes | antreas | < 1.0.7 | 1.0.7 |
| machothemes | antreas | <= 1.0.2 | — |
| machothemes | medzone_lite | < 1.2.6 | 1.2.6 |
| machothemes | medzone_lite | <= 1.2.4 | — |
| machothemes | naturemag_lite | <= 1.0.4 | — |
| machothemes | newsmag | < 2.4.2 | 2.4.2 |
| machothemes | newsmag | <= 2.4.1 | — |
| machothemes | regina_lite | < 2.0.6 | 2.0.6 |
| machothemes | regina_lite | <= 2.0.4 | — |
| silkalns | activello | <= 1.4.0 | — |
| silkalns | bonkers | <= 1.0.4 | — |
| silkalns | illdy | <= 2.1.4 | — |
| silkalns | newspaper_x | <= 1.3.1 | — |
| silkalns | pixova_lite | <= 2.0.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin-ajax.php?action=action_name
commandaction=epsilon_framework_ajax_action&args%5Baction%5D%5B%5D=Requests&args%5Baction%5D%5B%5D=request_multiple&args%5Bargs%5D%5B0%5D%5Burl%5D=https://oast.me/
path/wp-admin/admin-ajax.php
- →Detect exploit attempts by monitoring POST requests to /wp-admin/admin-ajax.php containing the parameter 'epsilon_framework_ajax_action' in the body, particularly with args[action][]=Requests and args[action][]=request_multiple.
- →The exploit requires no authentication — flag unauthenticated POST requests to admin-ajax.php with the epsilon_framework_ajax_action parameter as high-priority alerts.
- →The vulnerability is triggered via the WordPress AJAX handler 'epsilon_framework_ajax_action', which allows unauthenticated callers to invoke arbitrary PHP functions including Requests::request_multiple, enabling SSRF and RCE. ↗
- →Content-Type header 'application/x-www-form-urlencoded; charset=UTF-8' is used in the exploit POST request — combine with the admin-ajax.php path and body parameters for a high-fidelity detection signature.
- →Successful exploitation may result in outbound HTTP requests from the WordPress server (SSRF); monitor for unexpected outbound connections originating from the web server process following admin-ajax.php POST requests.
- ·The Nuclei template targets a broad set of 16 vulnerable WordPress themes (Epsilon Framework); detection should not be scoped to a single theme but to the shared AJAX action handler present across all affected themes.
- ·The exploit is listed in CISA KEV (kev: true), indicating active in-the-wild exploitation; prioritize detection and patching accordingly.
- ·EPSS score is 0.90049 at the 99.58th percentile, indicating extremely high likelihood of exploitation in the wild; treat any matching traffic as critical.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-48h4-c5mw-4h8j: The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1
ghsa_unreviewed·2023-06-07
CVE-2020-36708 [CRITICAL] CWE-94 GHSA-48h4-c5mw-4h8j: The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1
The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4. This is due to epsilon_framework_ajax_action. This makes it possible for unauthenticated attackers to call functions and achieve remote code execution.
VulnCheck
colorlib activello Improper Control of Generation of Code ('Code Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-36708 [CRITICAL] colorlib activello Improper Control of Generation of Code ('Code Injection')
colorlib activello Improper Control of Generation of Code ('Code Injection')
The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4. This is due to epsilon_framework_ajax_action. This makes it possible for unauthenticated attackers to call functions and achieve remote code execution.
Affected: colorlib activello
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product
No detection rules found.
Nuclei
WordPress Epsilon Framework Themes <=2.4.8 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2020-36708 [CRITICAL] WordPress Epsilon Framework Themes <=2.4.8 - Remote Code Execution
WordPress Epsilon Framework Themes <=2.4.8 - Remote Code Execution
WordPress themes including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4 contain a function injection caused by epsilon_framework_ajax_action, letting unauthenticated attackers call functions and achieve remote code execution, exploit requires no authentication.
Template:
id: CVE-2020-36708
info:
name: WordPress Epsilon Framework Themes <=2.4.8 - Remote Code Execution
author: madrobot
severity: critical
description: |
WordPress themes including S
No writeups or analysis indexed.
https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-in-wordpress-sparkling-theme/https://wpscan.com/vulnerability/bec52a5b-c892-4763-a962-05da7100eca5https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/https://www.wordfence.com/threat-intel/vulnerabilities/id/5b75c322-539d-44e9-8f26-5ff929874b67?source=cvehttps://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-in-wordpress-sparkling-theme/https://wpscan.com/vulnerability/bec52a5b-c892-4763-a962-05da7100eca5https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/https://www.wordfence.com/threat-intel/vulnerabilities/id/5b75c322-539d-44e9-8f26-5ff929874b67?source=cve
2023-06-07
Published
Exploited in the wild