The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4. This is due to epsilon_framework_ajax_action. This makes it possible for unauthenticated attackers to call functions and achieve remote code execution.
References
| Link | Resource |
|---|---|
| https://wpscan.com/vulnerability/bec52a5b-c892-4763-a962-05da7100eca5 | Third Party Advisory |
| https://www.wordfence.com/threat-intel/vulnerabilities/id/5b75c322-539d-44e9-8f26-5ff929874b67?source=cve | Third Party Advisory |
| https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/ | Exploit Third Party Advisory |
| https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/ | Third Party Advisory |
| https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-in-wordpress-sparkling-theme/ | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
16 Jun 2023, 15:21
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-94 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
| References | (MISC) https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/ - Exploit, Third Party Advisory | |
| References | (MISC) https://www.wordfence.com/threat-intel/vulnerabilities/id/5b75c322-539d-44e9-8f26-5ff929874b67?source=cve - Third Party Advisory | |
| References | (MISC) https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/ - Third Party Advisory | |
| References | (MISC) https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-in-wordpress-sparkling-theme/ - Exploit, Third Party Advisory | |
| References | (MISC) https://wpscan.com/vulnerability/bec52a5b-c892-4763-a962-05da7100eca5 - Third Party Advisory | |
| First Time |
Cpothemes transcend
Colorlib newspaper X Machothemes regina Lite Colorlib Cpothemes affluent Colorlib illdy Machothemes antreas Machothemes newsmag Colorlib sparklinkg Cpothemes Cpothemes brilliance Colorlib shapely Machothemes naturemag Lite Machothemes Colorlib activello Cpothemes allegiant Machothemes medzone Lite Colorlib pixova Lite Colorlib bonkers |
|
| CPE | cpe:2.3:a:colorlib:sparklinkg:*:*:*:*:*:wordpress:*:* cpe:2.3:a:colorlib:illdy:*:*:*:*:*:wordpress:*:* cpe:2.3:a:cpothemes:transcend:*:*:*:*:*:wordpress:*:* cpe:2.3:a:colorlib:pixova_lite:*:*:*:*:*:wordpress:*:* cpe:2.3:a:machothemes:regina_lite:*:*:*:*:*:wordpress:*:* cpe:2.3:a:machothemes:newsmag:*:*:*:*:*:wordpress:*:* cpe:2.3:a:machothemes:naturemag_lite:*:*:*:*:*:wordpress:*:* cpe:2.3:a:colorlib:newspaper_x:*:*:*:*:*:wordpress:*:* cpe:2.3:a:colorlib:shapely:*:*:*:*:*:wordpress:*:* cpe:2.3:a:colorlib:activello:*:*:*:*:*:wordpress:*:* cpe:2.3:a:machothemes:medzone_lite:*:*:*:*:*:wordpress:*:* cpe:2.3:a:colorlib:bonkers:*:*:*:*:*:wordpress:*:* cpe:2.3:a:cpothemes:brilliance:*:*:*:*:*:wordpress:*:* cpe:2.3:a:machothemes:antreas:*:*:*:*:*:wordpress:*:* cpe:2.3:a:cpothemes:affluent:*:*:*:*:*:wordpress:*:* cpe:2.3:a:cpothemes:allegiant:*:*:*:*:*:wordpress:*:* |
07 Jun 2023, 02:45
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-06-07 02:15
Updated : 2023-11-07 03:22
NVD link : CVE-2020-36708
Mitre link : CVE-2020-36708
JSON object : View
Products Affected
cpothemes
- brilliance
- affluent
- allegiant
- transcend
colorlib
- shapely
- newspaper_x
- illdy
- sparklinkg
- bonkers
- pixova_lite
- activello
machothemes
- newsmag
- naturemag_lite
- antreas
- medzone_lite
- regina_lite
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')