id: CVE-2020-36719 info: name: ListingPro < 2.6.1 - Arbitrary Plugin Installation/Activation/Deactivation author: ritikchaddha severity: critical description: | The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. This is due to a missing capability check on the lp_cc_addons_actions function. This makes it possible for unauthenticated attackers to arbitrarily install, activate and deactivate any plugin. impact: | Unauthenticated attackers can arbitrarily install, activate or deactivate plugins, potentially installing malicious plugins to gain complete site control. remediation: | Upgrade to ListingPro version 2.6.1 or later. reference: - https://blog.nintechnet.com/wordpress-listingpro-theme-fixed-a-critical-vulnerability/ - https://nvd.nist.gov/vuln/detail/CVE-2020-36719 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-36719 epss-score: 0.04304 epss-percentile: 0.89875 cwe-id: CWE-862 cpe: cpe:2.3:a:cridio:listingpro:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 1 vendor: cridio product: listingpro fofa-query: body="/wp-content/plugins/listingpro" tags: cve,cve2020,wp,wp-pluginwordpress,listingpro,passive,vkev,vuln http: - method: GET path: - "{{BaseURL}}/wp-content/themes/listingpro/style.css" matchers-condition: and matchers: - type: word part: body words: - "ListingPro" - "Version:" condition: and - type: dsl dsl: - compare_versions(detected_version, '< 2.6.1') - status_code == 200 condition: and extractors: - type: regex part: body name: detected_version group: 1 regex: - '(?i)Version:\s?([\w.]+)' # digest: 490a0046304402203fa6457b64cf6e9d525f9982bc67c46d519e913e09fbb01224bebd37d0d12b4b0220305ab3d3bfb929b2673d0a1d6c118b2ebadfb7a7128f35c4905cdd1861f9649a:922c64590222798bb761d5b6d8e72950