Vulnerability Description
AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of the WordPress web server process, resulting in remote code execution.
Related Weaknesses (CWE)
References
- https://accessally.com/software-release/accessally-3-3-2/
- https://wpscan.com/vulnerability/c644de6d-098d-4889-b75d-53fd2b89ff4d/
- https://www.vulncheck.com/advisories/accessally-unauthenticated-arbitrary-php-co
- https://wpscan.com/vulnerability/c644de6d-098d-4889-b75d-53fd2b89ff4d/
FAQ
What is CVE-2020-36875?
CVE-2020-36875 is a documented vulnerability. AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. The plugin processes the login_error parameter as PHP cod...
How severe is CVE-2020-36875?
CVSS scoring is not yet available for CVE-2020-36875. Check NVD for updates.
Is there a patch for CVE-2020-36875?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.