Login Sign Up

CVE-2020-36726

9.8 CRITICAL
Deserialization

📋 TL;DR

The Ultimate Reviews WordPress plugin up to version 2.1.32 contains a PHP object injection vulnerability due to insecure deserialization of untrusted input. Unauthenticated attackers can exploit this to inject arbitrary PHP objects, potentially leading to remote code execution. All WordPress sites using vulnerable plugin versions are affected.

💻 Affected Systems

Products:
  • WordPress Ultimate Reviews plugin
Versions: Up to and including 2.1.32
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations with the vulnerable plugin version are affected regardless of configuration.

📦 What is this software?

Ultimate Reviews by Etoilewebdesign

View all CVEs affecting Ultimate Reviews →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and website defacement.

🟠

Likely Case

Website compromise through arbitrary code execution, potentially leading to backdoor installation and data exfiltration.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though deserialization vulnerabilities remain dangerous.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

No POP chain required in the plugin itself, but attackers can use PHP's built-in classes for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.33 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2409141

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Ultimate Reviews plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.1.33+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Ultimate Reviews plugin until patched

wp plugin deactivate ultimate-reviews

Web Application Firewall rule

all

Block deserialization attempts at WAF level

🧯 If You Can't Patch

  • Remove the Ultimate Reviews plugin completely
  • Implement strict input validation and sanitization at application layer

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Ultimate Reviews → Version number

Check Version:

wp plugin get ultimate-reviews --field=version

Verify Fix Applied:

Verify plugin version is 2.1.33 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to WordPress admin-ajax.php or plugin endpoints
  • PHP deserialization errors in logs
  • Unexpected file creation in wp-content/uploads

Network Indicators:

  • HTTP requests containing serialized PHP objects (O: syntax)
  • Traffic to unusual ports from WordPress server

SIEM Query:

source="wordpress.log" AND ("ultimate-reviews" OR "admin-ajax.php") AND ("unserialize" OR "O:" OR "C:")

📊 Metadata

CVE ID: CVE-2020-36726
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: June 7, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36726, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)