The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4. This is due to epsilon_framework_ajax_action. This makes it possible for unauthenticated attackers to call functions and achieve remote code execution.
References
Link | Resource |
---|---|
https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/ | Exploit Third Party Advisory |
https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-in-wordpress-sparkling-theme/ | Exploit Third Party Advisory |
https://wpscan.com/vulnerability/bec52a5b-c892-4763-a962-05da7100eca5 | Third Party Advisory |
https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/ | Third Party Advisory |
https://www.wordfence.com/threat-intel/vulnerabilities/id/5b75c322-539d-44e9-8f26-5ff929874b67?source=cve | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
16 Jun 2023, 15:21
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.wordfence.com/threat-intel/vulnerabilities/id/5b75c322-539d-44e9-8f26-5ff929874b67?source=cve - Third Party Advisory | |
References | (MISC) https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/ - Exploit, Third Party Advisory | |
References | (MISC) https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-in-wordpress-sparkling-theme/ - Exploit, Third Party Advisory | |
References | (MISC) https://wpscan.com/vulnerability/bec52a5b-c892-4763-a962-05da7100eca5 - Third Party Advisory | |
References | (MISC) https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/ - Third Party Advisory | |
First Time |
Cpothemes brilliance
Colorlib pixova Lite Colorlib bonkers Colorlib activello Colorlib shapely Cpothemes allegiant Cpothemes transcend Colorlib illdy Colorlib sparklinkg Machothemes newsmag Colorlib Cpothemes Machothemes Machothemes antreas Cpothemes affluent Machothemes medzone Lite Colorlib newspaper X Machothemes regina Lite Machothemes naturemag Lite |
|
CWE | CWE-94 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
CPE | cpe:2.3:a:cpothemes:allegiant:*:*:*:*:*:wordpress:*:* cpe:2.3:a:machothemes:antreas:*:*:*:*:*:wordpress:*:* cpe:2.3:a:colorlib:pixova_lite:*:*:*:*:*:wordpress:*:* cpe:2.3:a:machothemes:newsmag:*:*:*:*:*:wordpress:*:* cpe:2.3:a:colorlib:illdy:*:*:*:*:*:wordpress:*:* cpe:2.3:a:cpothemes:brilliance:*:*:*:*:*:wordpress:*:* cpe:2.3:a:colorlib:shapely:*:*:*:*:*:wordpress:*:* cpe:2.3:a:colorlib:newspaper_x:*:*:*:*:*:wordpress:*:* cpe:2.3:a:colorlib:bonkers:*:*:*:*:*:wordpress:*:* cpe:2.3:a:cpothemes:transcend:*:*:*:*:*:wordpress:*:* cpe:2.3:a:machothemes:medzone_lite:*:*:*:*:*:wordpress:*:* cpe:2.3:a:machothemes:regina_lite:*:*:*:*:*:wordpress:*:* cpe:2.3:a:cpothemes:affluent:*:*:*:*:*:wordpress:*:* cpe:2.3:a:colorlib:sparklinkg:*:*:*:*:*:wordpress:*:* cpe:2.3:a:colorlib:activello:*:*:*:*:*:wordpress:*:* cpe:2.3:a:machothemes:naturemag_lite:*:*:*:*:*:wordpress:*:* |
07 Jun 2023, 02:45
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-06-07 02:15
Updated : 2024-02-28 20:13
NVD link : CVE-2020-36708
Mitre link : CVE-2020-36708
CVE.ORG link : CVE-2020-36708
JSON object : View
Products Affected
colorlib
- pixova_lite
- illdy
- sparklinkg
- newspaper_x
- activello
- bonkers
- shapely
cpothemes
- transcend
- affluent
- brilliance
- allegiant
machothemes
- antreas
- medzone_lite
- newsmag
- regina_lite
- naturemag_lite
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')