6.5

CVE-2020-36721

Exploit

EPSS 0.15%
Veröffentlicht 07.06.2023 02:15:12
Zuletzt bearbeitet 21.11.2024 05:30:09
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Epsilon Framework Themes (Various Versions) - Unauthenticated Plugin Activation/Deactivation

The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site.

Mögliche Gegenmaßnahme

Activello: Update to version 1.4.2, or a newer patched version

Brilliance: Update to version 1.3.0, or a newer patched version

Newspaper X: Update to version 1.3.2, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 9

Weitere Schwachstelleninformationen

SystemWordPress Theme

≫

Produkt Activello

Version *-1.4.0

SystemWordPress Theme

≫

Produkt Brilliance

Version *-1.2.7

SystemWordPress Theme

≫

Produkt Newspaper X

Version *-1.3.1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Colorlib ≫ Activello SwPlatformwordpress Version < 1.4.2

Colorlib ≫ Bonkers SwPlatformwordpress Version < 1.0.6

Colorlib ≫ Illdy SwPlatformwordpress Version < 2.1.7

Colorlib ≫ Newspaper X SwPlatformwordpress Version < 1.3.2

Colorlib ≫ Pixova Lite SwPlatformwordpress Version < 2.0.7

Colorlib ≫ Shapely SwPlatformwordpress Version < 1.2.9

Cpothemes ≫ Affluent SwPlatformwordpress Version < 1.1.2

Cpothemes ≫ Allegiant SwPlatformwordpress Version < 1.2.6

Cpothemes ≫ Brilliance SwPlatformwordpress Version < 1.3.0

Cpothemes ≫ Transcend SwPlatformwordpress Version < 1.2.0

Machothemes ≫ Antreas SwPlatformwordpress Version < 1.0.7

Machothemes ≫ Medzone Lite SwPlatformwordpress Version < 1.2.6

Machothemes ≫ Naturemag Lite SwPlatformwordpress Version <= 1.0.4

Machothemes ≫ Newsmag SwPlatformwordpress Version < 2.4.2

Machothemes ≫ Regina Lite SwPlatformwordpress Version < 2.0.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.15%	0.356

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
security@wordfence.com	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/

Third Party Advisory

Exploit

https://wordpress.org/themes/activello/

Product

https://wordpress.org/themes/brilliance/

Product

https://wordpress.org/themes/newspaper-x/

Product

https://www.wordfence.com/threat-intel/vulnerabilities/id/a9e4e989-8e55-4ea7-8f42-9f67cfab1168?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/a9e4e989-8e55-4ea7-8f42-9f67cfab1168

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-36721

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-36721

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-36721

EUVD