// For flags

CVE-2020-36666

Multiple e-plugins - Subscriber+ Privilege Escalation

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The directory-pro WordPress plugin before 1.9.5, final-user-wp-frontend-user-profiles WordPress plugin before 1.2.2, producer-retailer WordPress plugin through TODO, photographer-directory WordPress plugin before 1.0.9, real-estate-pro WordPress plugin before 1.7.1, institutions-directory WordPress plugin before 1.3.1, lawyer-directory WordPress plugin before 1.2.9, doctor-listing WordPress plugin before 1.3.6, Hotel Listing WordPress plugin before 1.3.7, fitness-trainer WordPress plugin before 1.4.1, wp-membership WordPress plugin before 1.5.7, sold by the same developer (e-plugins), do not implementing any security measures in some AJAX calls. For example in the file plugin.php, the function iv_directories_update_profile_setting() uses update_user_meta with any data provided by the ajax call, which can be used to give the logged in user admin capabilities. Since the plugins allow user registration via a custom form (even if the blog does not allow users to register) it makes any site using it vulnerable.

Multiple plugins by the vendor E-plugins are vulnerable to privilege escalation due to insufficient restriction on several functions called via AJAX actions that set a user's role based on supplied role information. This makes it possible authenticated, subscriber-level and above attackers to elevate their privileges to that of an administrator.

*Credits: Omar Badran, WPScan
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-03-06 CVE Reserved
  • 2023-03-06 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-08-04 First Exploit
  • 2024-10-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-266: Incorrect Privilege Assignment
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
E-plugins
Search vendor "E-plugins"
Directory Pro
Search vendor "E-plugins" for product "Directory Pro"
< 1.9.5
Search vendor "E-plugins" for product "Directory Pro" and version " < 1.9.5"
wordpress
Affected
E-plugins
Search vendor "E-plugins"
Final User
Search vendor "E-plugins" for product "Final User"
< 1.2.2
Search vendor "E-plugins" for product "Final User" and version " < 1.2.2"
wordpress
Affected
E-plugins
Search vendor "E-plugins"
Fitness Trainer
Search vendor "E-plugins" for product "Fitness Trainer"
< 1.4.1
Search vendor "E-plugins" for product "Fitness Trainer" and version " < 1.4.1"
wordpress
Affected
E-plugins
Search vendor "E-plugins"
Hospital \& Doctor Directory
Search vendor "E-plugins" for product "Hospital \& Doctor Directory"
< 1.3.6
Search vendor "E-plugins" for product "Hospital \& Doctor Directory" and version " < 1.3.6"
wordpress
Affected
E-plugins
Search vendor "E-plugins"
Hotel Directory
Search vendor "E-plugins" for product "Hotel Directory"
< 1.3.7
Search vendor "E-plugins" for product "Hotel Directory" and version " < 1.3.7"
wordpress
Affected
E-plugins
Search vendor "E-plugins"
Institutions Directory
Search vendor "E-plugins" for product "Institutions Directory"
< 1.3.1
Search vendor "E-plugins" for product "Institutions Directory" and version " < 1.3.1"
wordpress
Affected
E-plugins
Search vendor "E-plugins"
Lawyer Directory
Search vendor "E-plugins" for product "Lawyer Directory"
< 1.2.9
Search vendor "E-plugins" for product "Lawyer Directory" and version " < 1.2.9"
wordpress
Affected
E-plugins
Search vendor "E-plugins"
Photographer-directory
Search vendor "E-plugins" for product "Photographer-directory"
< 1.0.9
Search vendor "E-plugins" for product "Photographer-directory" and version " < 1.0.9"
wordpress
Affected
E-plugins
Search vendor "E-plugins"
Producer-retailer
Search vendor "E-plugins" for product "Producer-retailer"
-wordpress
Affected
E-plugins
Search vendor "E-plugins"
Real Estate Pro
Search vendor "E-plugins" for product "Real Estate Pro"
< 1.7.1
Search vendor "E-plugins" for product "Real Estate Pro" and version " < 1.7.1"
wordpress
Affected
E-plugins
Search vendor "E-plugins"
Wp Membership
Search vendor "E-plugins" for product "Wp Membership"
< 1.5.7
Search vendor "E-plugins" for product "Wp Membership" and version " < 1.5.7"
wordpress
Affected