CVE-2020-36666 - Vulnerability Details

The directory-pro WordPress plugin before 1.9.5, final-user-wp-frontend-user-profiles WordPress plugin before 1.2.2, producer-retailer WordPress plugin through TODO, photographer-directory WordPress plugin before 1.0.9, real-estate-pro WordPress plugin before 1.7.1, institutions-directory WordPress plugin before 1.3.1, lawyer-directory WordPress plugin before 1.2.9, doctor-listing WordPress plugin before 1.3.6, Hotel Listing WordPress plugin before 1.3.7, fitness-trainer WordPress plugin before 1.4.1, wp-membership WordPress plugin before 1.5.7, sold by the same developer (e-plugins), do not implementing any security measures in some AJAX calls. For example in the file plugin.php, the function iv_directories_update_profile_setting() uses update_user_meta with any data provided by the ajax call, which can be used to give the logged in user admin capabilities. Since the plugins allow user registration via a custom form (even if the blog does not allow users to register) it makes any site using it vulnerable.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
E-plugins	Directory Pro Final User Fitness Trainer Hospital \& Doctor Directory Hotel Directory Institutions Directory Lawyer Directory Photographer-directory Producer-retailer Real Estate Pro Wp Membership

Configuration 1 [-]

OR	cpe:2.3:a:e-plugins:directory_pro::::::wordpress::*
	cpe:2.3:a:e-plugins:final_user::::::wordpress::*
	cpe:2.3:a:e-plugins:fitness_trainer::::::wordpress::*
	cpe:2.3:a:e-plugins:hospital_\&_doctor_directory::::::wordpress::*
	cpe:2.3:a:e-plugins:hotel_directory::::::wordpress::*
	cpe:2.3:a:e-plugins:institutions_directory::::::wordpress::*
	cpe:2.3:a:e-plugins:lawyer_directory::::::wordpress::*
	cpe:2.3:a:e-plugins:photographer-directory::::::wordpress::*
	cpe:2.3:a:e-plugins:producer-retailer:-:::::wordpress::
	cpe:2.3:a:e-plugins:real_estate_pro::::::wordpress::*
	cpe:2.3:a:e-plugins:wp_membership::::::wordpress::*

No data.

References

Link	Providers
https://codecanyon.net/user/e-plugins
https://wpscan.com/vulnerability/d079cb16-ead5-4bc8-b0b8-4a4dc2a54c96

History

Wed, 19 Feb 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2023-03-27T15:37:27.159Z

Updated: 2025-02-19T20:09:36.125Z

Reserved: 2023-03-06T09:23:56.829Z

Link: CVE-2020-36666

Vulnrichment

Updated: 2024-08-04T17:30:08.573Z

NVD

Status : Modified

Published: 2023-03-27T16:15:07.660

Modified: 2025-02-19T20:15:32.657

Link: CVE-2020-36666

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object