Login Sign Up

CVE-2020-35135

8.8 HIGH
CSRF

📋 TL;DR

CVE-2020-35135 is a Cross-Site Request Forgery (CSRF) vulnerability in the Ultimate Category Excluder WordPress plugin. It allows attackers to trick authenticated administrators into performing unintended actions, potentially modifying plugin settings. This affects WordPress sites using vulnerable versions of the plugin.

💻 Affected Systems

Products:
  • WordPress Ultimate Category Excluder plugin
Versions: All versions before 1.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the vulnerable plugin activated. Attack requires tricking an authenticated administrator.

📦 What is this software?

Ultimate Category Excluder by Infolific

View all CVEs affecting Ultimate Category Excluder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could change plugin settings to exclude critical categories from display, disrupting website functionality and potentially causing denial of service for affected content.

🟠

Likely Case

Attackers modify category exclusion settings, causing content display issues that require administrative intervention to fix.

🟢

If Mitigated

With proper CSRF protections and user awareness, exploitation attempts fail, maintaining normal plugin functionality.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

CSRF attacks are well-understood and easy to implement. Exploitation requires social engineering to trick authenticated users.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2434070

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Ultimate Category Excluder. 4. Click 'Update Now' if available, or manually update to version 1.2+. 5. Verify plugin is active and functioning.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched

wp plugin deactivate ultimate-category-excluder

CSRF Protection Implementation

all

Add CSRF tokens to plugin forms via custom code

🧯 If You Can't Patch

  • Remove the Ultimate Category Excluder plugin entirely and use alternative category management solutions.
  • Implement web application firewall rules to block CSRF attempts targeting the plugin endpoints.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Ultimate Category Excluder → View version. If version is below 1.2, system is vulnerable.

Check Version:

wp plugin get ultimate-category-excluder --field=version

Verify Fix Applied:

Confirm plugin version is 1.2 or higher in WordPress admin panel and test category exclusion functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /wp-admin/admin.php?page=ultimate-category-excluder
  • Multiple failed CSRF token validations in WordPress logs

Network Indicators:

  • HTTP requests to plugin admin endpoints without proper referrer headers or CSRF tokens

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin.php" AND query_string="page=ultimate-category-excluder")

📊 Metadata

CVE ID: CVE-2020-35135
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: December 11, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35135, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-10181 9.8

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Sumavision Enhanced Multimed...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)