Login Sign Up

CVE-2020-36708

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary PHP functions via the epsilon_framework_ajax_action in vulnerable WordPress themes, leading to remote code execution. It affects multiple WordPress themes using the Epsilon Framework. Anyone running affected theme versions is vulnerable.

💻 Affected Systems

Products:
  • Shapely
  • NewsMag
  • Activello
  • Illdy
  • Allegiant
  • Newspaper X
  • Pixova Lite
  • Brilliance
  • MedZone Lite
  • Regina Lite
  • Transcend
  • Affluent
  • Bonkers
  • Antreas
  • Sparkling
  • NatureMag Lite
Versions: Up to and including Shapely 1.2.7, NewsMag 2.4.1, Activello 1.4.0, Illdy 2.1.4, Allegiant 1.2.2, Newspaper X 1.3.1, Pixova Lite 2.0.5, Brilliance 1.2.7, MedZone Lite 1.2.4, Regina Lite 2.0.4, Transcend 1.1.8, Affluent 1.1.0, Bonkers 1.0.4, Antreas 1.0.2, Sparkling 2.4.8, NatureMag Lite 1.0.4
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All installations using affected theme versions are vulnerable by default. No special configuration required.

📦 What is this software?

Activello by Colorlib

View all CVEs affecting Activello →

Affluent by Cpothemes

View all CVEs affecting Affluent →

Allegiant by Cpothemes

View all CVEs affecting Allegiant →

Antreas by Machothemes

View all CVEs affecting Antreas →

Bonkers by Colorlib

View all CVEs affecting Bonkers →

Brilliance by Cpothemes

View all CVEs affecting Brilliance →

Illdy by Colorlib

View all CVEs affecting Illdy →

Medzone Lite by Machothemes

View all CVEs affecting Medzone Lite →

Naturemag Lite by Machothemes

View all CVEs affecting Naturemag Lite →

Newsmag by Machothemes

View all CVEs affecting Newsmag →

Newspaper X by Colorlib

View all CVEs affecting Newspaper X →

Pixova Lite by Colorlib

View all CVEs affecting Pixova Lite →

Regina Lite by Machothemes

View all CVEs affecting Regina Lite →

Shapely by Colorlib

View all CVEs affecting Shapely →

Sparklinkg by Colorlib

View all CVEs affecting Sparklinkg →

Transcend by Cpothemes

View all CVEs affecting Transcend →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the WordPress site, installing backdoors, stealing data, and using the server for further attacks.

🟠

Likely Case

Website defacement, malware injection, credential theft, and use as part of botnets or for cryptocurrency mining.

🟢

If Mitigated

Limited impact if proper web application firewalls, file integrity monitoring, and least privilege principles are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploits are publicly available and have been used in large-scale attacks. Attack requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to latest versions of each theme (check individual theme changelogs)

Vendor Advisory: https://wpscan.com/vulnerability/bec52a5b-c892-4763-a962-05da7100eca5

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Check for updates on affected themes. 4. Update all vulnerable themes to latest versions. 5. Verify updates completed successfully.

🔧 Temporary Workarounds

Disable vulnerable themes

all

Switch to a non-vulnerable theme until patches can be applied

wp theme activate twentytwentyone
wp theme delete [vulnerable-theme-name]

Web Application Firewall rule

linux

Block requests to epsilon_framework_ajax_action endpoint

LocationMatch "\/wp-admin\/admin-ajax\.php"
SetEnvIf Request_URI "epsilon_framework_ajax_action" block_epsilon
Deny from env=block_epsilon

🧯 If You Can't Patch

  • Implement strict web application firewall rules blocking suspicious PHP function calls
  • Enable file integrity monitoring to detect unauthorized file changes

🔍 How to Verify

Check if Vulnerable:

Check WordPress theme versions in Appearance > Themes or use: wp theme list --fields=name,status,version

Check Version:

wp theme list --fields=name,version

Verify Fix Applied:

Verify theme versions are above vulnerable ranges and test admin-ajax.php endpoint for epsilon_framework_ajax_action

📡 Detection & Monitoring

Log Indicators:

  • POST requests to /wp-admin/admin-ajax.php with epsilon_framework_ajax_action parameter
  • Unusual PHP function calls in web server logs
  • File creation/modification in wp-content directory

Network Indicators:

  • HTTP POST requests containing eval(), system(), exec() or similar functions in parameters
  • Traffic patterns matching known exploit payloads

SIEM Query:

source="web_logs" AND uri_path="/wp-admin/admin-ajax.php" AND (param="epsilon_framework_ajax_action" OR param CONTAINS "eval" OR param CONTAINS "system")

📊 Metadata

CVE ID: CVE-2020-36708
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: June 7, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36708, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)