{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2020-36708", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2023-06-06T12:45:33.848Z", "datePublished": "2023-06-07T01:51:22.525Z", "dateUpdated": "2026-04-08T16:55:21.011Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:21.011Z" }, "affected": [ { "vendor": "machothemes", "product": "Antreas", "versions": [ { "version": "0", "status": "affected", "lessThanOrEqual": "1.0.2", "versionType": "semver" } ], "defaultStatus": "unaffected" }, { "vendor": "machothemes", "product": "NatureMag Lite", "versions": [ { "version": "0", "status": "affected", "lessThanOrEqual": "1.0.4", "versionType": "semver" } ], "defaultStatus": "unaffected" }, { "vendor": "silkalns", "product": "Bonkers", "versions": [ { "version": "0", "status": "affected", "lessThanOrEqual": "1.0.4", "versionType": "semver" } ], "defaultStatus": "unaffected" }, { "vendor": "wpchill", "product": "Affluent", "versions": [ { "version": "0", "status": "affected", "lessThanOrEqual": "1.1.0", "versionType": "semver" } ], "defaultStatus": "unaffected" }, { "vendor": "wpchill", "product": "Transcend", "versions": [ { "version": "0", "status": "affected", "lessThanOrEqual": "1.1.8", "versionType": "semver" } ], "defaultStatus": "unaffected" }, { "vendor": "wpchill", "product": "Allegiant", "versions": [ { "version": "0", "status": "affected", "lessThanOrEqual": "1.2.2", "versionType": "semver" } ], "defaultStatus": "unaffected" }, { "vendor": "machothemes", "product": "MedZone Lite", "versions": [ { "version": "0", "status": "affected", "lessThanOrEqual": "1.2.4", "versionType": "semver" } ], "defaultStatus": "unaffected" }, { "vendor": "silkalns", "product": "Shapely", "versions": [ { "version": "0", "status": "affected", "lessThanOrEqual": "1.2.7", "versionType": "semver" } ], "defaultStatus": "unaffected" }, { "vendor": "wpchill", "product": "Brilliance", "versions": [ { "version": "0", "status": "affected", "lessThanOrEqual": "1.2.7", "versionType": "semver" } ], "defaultStatus": "unaffected" }, { "vendor": "silkalns", "product": "Newspaper X", "versions": [ { "version": "0", "status": "affected", "lessThanOrEqual": "1.3.1", "versionType": "semver" } ], "defaultStatus": "unaffected" }, { "vendor": "silkalns", "product": "Activello", "versions": [ { "version": "0", "status": "affected", "lessThanOrEqual": "1.4.0", "versionType": "semver" } ], "defaultStatus": "unaffected" }, { "vendor": "machothemes", "product": "Regina Lite", "versions": [ { "version": "0", "status": "affected", "lessThanOrEqual": "2.0.4", "versionType": "semver" } ], "defaultStatus": "unaffected" }, { "vendor": "silkalns", "product": "Pixova Lite", "versions": [ { "version": "0", "status": "affected", "lessThanOrEqual": "2.0.5", "versionType": "semver" } ], "defaultStatus": "unaffected" }, { "vendor": "silkalns", "product": "Illdy", "versions": [ { "version": "0", "status": "affected", "lessThanOrEqual": "2.1.4", "versionType": "semver" } ], "defaultStatus": "unaffected" }, { "vendor": "machothemes", "product": "NewsMag", "versions": [ { "version": "0", "status": "affected", "lessThanOrEqual": "2.4.1", "versionType": "semver" } ], "defaultStatus": "unaffected" }, { "vendor": "silkalns", "product": "Sparkling", "versions": [ { "version": "0", "status": "affected", "lessThanOrEqual": "2.4.8", "versionType": "semver" } ], "defaultStatus": "unaffected" } ], "descriptions": [ { "lang": "en", "value": "The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4. This is due to epsilon_framework_ajax_action. This makes it possible for unauthenticated attackers to call functions and achieve remote code execution." } ], "title": "Epsilon Framework Themes (Various Versions) - Function Injection", "references": [ { "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b75c322-539d-44e9-8f26-5ff929874b67?source=cve" }, { "url": "https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/" }, { "url": "https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/" }, { "url": "https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-in-wordpress-sparkling-theme/" }, { "url": "https://wpscan.com/vulnerability/bec52a5b-c892-4763-a962-05da7100eca5" } ], "problemTypes": [ { "descriptions": [ { "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE" } ] } ], "metrics": [ { "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL" } } ], "credits": [ { "lang": "en", "type": "finder", "value": "Jerome Bruandet" } ], "timeline": [ { "time": "2020-10-01T00:00:00.000Z", "lang": "en", "value": "Disclosed" } ] }, "adp": [ { "providerMetadata": { "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:37:06.752Z" }, "title": "CVE Program Container", "references": [ { "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b75c322-539d-44e9-8f26-5ff929874b67?source=cve", "tags": [ "x_transferred" ] }, { "url": "https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/", "tags": [ "x_transferred" ] }, { "url": "https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/", "tags": [ "x_transferred" ] }, { "url": "https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-in-wordpress-sparkling-theme/", "tags": [ "x_transferred" ] }, { "url": "https://wpscan.com/vulnerability/bec52a5b-c892-4763-a962-05da7100eca5", "tags": [ "x_transferred" ] } ] }, { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2024-12-26T17:40:55.615787Z", "id": "CVE-2020-36708", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-28T00:56:18.718Z" } } ] } }