CVE-2020-36708:Unauthenticated function injection vulnerability in multiple WordPress themes using the Epsilon Framework, allowing remote code execution.

splash
Back

Description Preview

Multiple WordPress themes using the Epsilon Framework were found to contain a critical function injection vulnerability (CVE-2020-36708) that allows unauthenticated attackers to call arbitrary PHP functions, potentially leading to remote code execution. The vulnerability affects 16 themes including Shapely, NewsMag, Activello, Illdy, and others, in their respective versions prior to security patches. The issue is specifically related to the epsilon_framework_ajax_action functionality which fails to properly validate user input before executing functions.

Overview

This vulnerability (CWE-94: Code Injection) affects WordPress themes that implement the Epsilon Framework. The vulnerability allows unauthenticated attackers to inject and execute arbitrary PHP functions through the epsilon_framework_ajax_action AJAX handler. Since this handler lacks proper authentication and input validation, attackers can specify any PHP function to be executed, including those that could lead to remote code execution, data exfiltration, or complete site compromise. This vulnerability was actively exploited in the wild in large-scale attacks targeting these themes.

The affected themes include:

  • Shapely <= 1.2.7
  • NewsMag <= 2.4.1
  • Activello <= 1.4.0
  • Illdy <= 2.1.4
  • Allegiant <= 1.2.2
  • Newspaper X <= 1.3.1
  • Pixova Lite <= 2.0.5
  • Brilliance <= 1.2.7
  • MedZone Lite <= 1.2.4
  • Regina Lite <= 2.0.4
  • Transcend <= 1.1.8
  • Affluent <= 1.1.0
  • Bonkers <= 1.0.4
  • Antreas <= 1.0.2
  • Sparkling <= 2.4.8
  • NatureMag Lite <= 1.0.4

Remediation

To remediate this vulnerability, website administrators should take the following actions:

  1. Update all affected themes to their latest versions immediately:

    • Shapely to version > 1.2.7
    • NewsMag to version > 2.4.1
    • Activello to version > 1.4.0
    • Illdy to version > 2.1.4
    • Allegiant to version > 1.2.2
    • Newspaper X to version > 1.3.1
    • Pixova Lite to version > 2.0.5
    • Brilliance to version > 1.2.7
    • MedZone Lite to version > 1.2.4
    • Regina Lite to version > 2.0.4
    • Transcend to version > 1.1.8
    • Affluent to version > 1.1.0
    • Bonkers to version > 1.0.4
    • Antreas to version > 1.0.2
    • Sparkling to version > 2.4.8
    • NatureMag Lite to version > 1.0.4

  2. If immediate updates are not possible, consider temporarily switching to a default WordPress theme until updates can be applied.

  3. Implement a Web Application Firewall (WAF) that can block exploitation attempts targeting this vulnerability.

  4. Review server logs for suspicious activities that might indicate previous exploitation attempts.

  5. Maintain regular backups of your WordPress site to enable recovery in case of compromise.

References

  1. NinTechNet Blog: Unauthenticated Function Injection Vulnerability Fixed in 15 WordPress Themes https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/

  2. NinTechNet Blog: Unauthenticated Function Injection Vulnerability in WordPress Sparkling Theme https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-in-wordpress-sparkling-theme/

  3. WPScan Vulnerability Database https://wpscan.com/vulnerability/bec52a5b-c892-4763-a962-05da7100eca5

  4. Wordfence Blog: Large Scale Attacks Target Epsilon Framework Themes https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/

  5. Wordfence Threat Intelligence https://www.wordfence.com/threat-intel/vulnerabilities/id/5b75c322-539d-44e9-8f26-5ff929874b67?source=cve

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  5. Construction
    Construction
  6. Educational Services
    Educational Services
  7. Finance and Insurance
    Finance and Insurance
  8. Health Care & Social Assistance
    Health Care & Social Assistance
  9. Information
    Information
  10. Management of Companies & Enterprises
    Management of Companies & Enterprises
  11. Manufacturing
    Manufacturing
  12. Mining
    Mining
  13. Other Services (except Public Administration)
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  15. Public Administration
    Public Administration
  16. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  17. Retail Trade
    Retail Trade
  18. Transportation & Warehousing
    Transportation & Warehousing
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background
Armis Vulnerability Intelligence Database