CVE-2020-36666

2023-03-2716:15:07

[email protected]

web.nvd.nist.gov

wordpress

security vulnerability

ajax

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

High

EPSS

0.001

Percentile

37.2%

JSON

The directory-pro WordPress plugin before 1.9.5, final-user-wp-frontend-user-profiles WordPress plugin before 1.2.2, producer-retailer WordPress plugin through TODO, photographer-directory WordPress plugin before 1.0.9, real-estate-pro WordPress plugin before 1.7.1, institutions-directory WordPress plugin before 1.3.1, lawyer-directory WordPress plugin before 1.2.9, doctor-listing WordPress plugin before 1.3.6, Hotel Listing WordPress plugin before 1.3.7, fitness-trainer WordPress plugin before 1.4.1, wp-membership WordPress plugin before 1.5.7, sold by the same developer (e-plugins), do not implementing any security measures in some AJAX calls. For example in the file plugin.php, the function iv_directories_update_profile_setting() uses update_user_meta with any data provided by the ajax call, which can be used to give the logged in user admin capabilities. Since the plugins allow user registration via a custom form (even if the blog does not allow users to register) it makes any site using it vulnerable.

Affected configurations

Nvd

Node

e-pluginsdirectory_proRange<1.9.5wordpress

e-pluginsfinal_userRange<1.2.2wordpress

e-pluginsfitness_trainerRange<1.4.1wordpress

e-pluginshospital_\&_doctor_directoryRange<1.3.6wordpress

e-pluginshotel_directoryRange<1.3.7wordpress

e-pluginsinstitutions_directoryRange<1.3.1wordpress

e-pluginslawyer_directoryRange<1.2.9wordpress

e-pluginsphotographer-directoryRange<1.0.9wordpress

e-pluginsproducer-retailerMatch-wordpress

e-pluginsreal_estate_proRange<1.7.1wordpress

e-pluginswp_membershipRange<1.5.7wordpress

VendorProductVersionCPE
e-pluginsdirectory_pro*cpe:2.3:a:e-plugins:directory_pro:*:*:*:*:*:wordpress:*:*
e-pluginsfinal_user*cpe:2.3:a:e-plugins:final_user:*:*:*:*:*:wordpress:*:*
e-pluginsfitness_trainer*cpe:2.3:a:e-plugins:fitness_trainer:*:*:*:*:*:wordpress:*:*
e-pluginshospital_\&_doctor_directory*cpe:2.3:a:e-plugins:hospital_\&_doctor_directory:*:*:*:*:*:wordpress:*:*
e-pluginshotel_directory*cpe:2.3:a:e-plugins:hotel_directory:*:*:*:*:*:wordpress:*:*
e-pluginsinstitutions_directory*cpe:2.3:a:e-plugins:institutions_directory:*:*:*:*:*:wordpress:*:*
e-pluginslawyer_directory*cpe:2.3:a:e-plugins:lawyer_directory:*:*:*:*:*:wordpress:*:*
e-pluginsphotographer-directory*cpe:2.3:a:e-plugins:photographer-directory:*:*:*:*:*:wordpress:*:*
e-pluginsproducer-retailer-cpe:2.3:a:e-plugins:producer-retailer:-:*:*:*:*:wordpress:*:*
e-pluginsreal_estate_pro*cpe:2.3:a:e-plugins:real_estate_pro:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
e-plugins	directory_pro	*	cpe:2.3:a:e-plugins:directory_pro::::::wordpress::*
e-plugins	final_user	*	cpe:2.3:a:e-plugins:final_user::::::wordpress::*
e-plugins	fitness_trainer	*	cpe:2.3:a:e-plugins:fitness_trainer::::::wordpress::*
e-plugins	hospital_\&_doctor_directory	*	cpe:2.3:a:e-plugins:hospital_\&_doctor_directory::::::wordpress::*
e-plugins	hotel_directory	*	cpe:2.3:a:e-plugins:hotel_directory::::::wordpress::*
e-plugins	institutions_directory	*	cpe:2.3:a:e-plugins:institutions_directory::::::wordpress::*
e-plugins	lawyer_directory	*	cpe:2.3:a:e-plugins:lawyer_directory::::::wordpress::*
e-plugins	photographer-directory	*	cpe:2.3:a:e-plugins:photographer-directory::::::wordpress::*
e-plugins	producer-retailer	-	cpe:2.3:a:e-plugins:producer-retailer:-:::::wordpress::
e-plugins	real_estate_pro	*	cpe:2.3:a:e-plugins:real_estate_pro::::::wordpress::*