cbcvebase.
CVE-2020-36837
published 2024-10-16

CVE-2020-36837: The ThemeGrill Demo Importer plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the reset_wizard_actions function…

PriorityP183critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.57%
42.8th percentile
The ThemeGrill Demo Importer plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the reset_wizard_actions function in versions 1.3.4 through 1.6.1. This makes it possible for authenticated attackers to reset the WordPress database. After which, if there is a user named 'admin', the attacker will become automatically logged in as an administrator.

Affected

1 ranges
VendorProductVersion rangeFixed in
themegrillthemegrill_demo_importer1.3.4 – 1.6.1

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.