CVE-2020-36176 – The iThemes Security plugin for WordPress befor... (How to Fix)

Q: What is the severity of CVE-2020-36176?

CVE-2020-36176 has a CVSS score of 7.5 (HIGH). The iThemes Security plugin for WordPress before version 7.7.0 fails to enforce password changes immediately when required, allowing users to continue using old passwords until their second login after the requirement is set. This affects WordPress administrators who have enabled password change requirements for user accounts.

📋 TL;DR

The iThemes Security plugin for WordPress before version 7.7.0 fails to enforce password changes immediately when required, allowing users to continue using old passwords until their second login after the requirement is set. This affects WordPress administrators who have enabled password change requirements for user accounts.

💻 Affected Systems

Products:

iThemes Security (formerly Better WP Security) WordPress plugin

Versions: All versions before 7.7.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when password change requirements are enabled in plugin settings.

📦 What is this software?

Ithemes Security by Ithemes

View all CVEs affecting Ithemes Security →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with compromised credentials could maintain access even after password change requirements are enforced, potentially leading to persistent unauthorized access and data breaches.

🟠

Likely Case

Users with compromised passwords can bypass immediate security enforcement, delaying remediation of credential exposure.

🟢

If Mitigated

With proper monitoring and multi-factor authentication, the window of vulnerability is reduced to minimal risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires existing compromised credentials and knowledge of password change requirements being enforced.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.7.0

Vendor Advisory: https://wordpress.org/plugins/better-wp-security/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find iThemes Security and click 'Update Now'. 4. Alternatively, download version 7.7.0+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Manual Password Reset Enforcement

all

Force password resets for all users through WordPress admin or database

UPDATE wp_users SET user_pass = MD5(RAND()) WHERE user_login = 'username';

🧯 If You Can't Patch

Disable password change requirements in iThemes Security settings
Implement additional authentication controls like IP restrictions or 2FA

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > iThemes Security version number

Check Version:

wp plugin list --name='iThemes Security' --field=version

Verify Fix Applied:

Confirm iThemes Security version is 7.7.0 or higher in plugin details

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful login with old password after password change requirement set

Network Indicators:

Unusual login patterns from same IP/user agent after password policy changes

SIEM Query:

source="wordpress.log" AND "password change required" AND "login successful"

📊 Metadata

CVE ID: CVE-2020-36176

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-287

Published: January 6, 2021

Last Updated: November 21, 2024

🔗 References

https://wordpress.org/plugins/better-wp-security/#developers Product,Release Notes,Third Party Advisory
https://wordpress.org/plugins/better-wp-security/#developers Product,Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36176, you might also want to check these: