CVE-2020-36666
Multiple e-plugins - Subscriber+ Privilege Escalation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The directory-pro WordPress plugin before 1.9.5, final-user-wp-frontend-user-profiles WordPress plugin before 1.2.2, producer-retailer WordPress plugin through TODO, photographer-directory WordPress plugin before 1.0.9, real-estate-pro WordPress plugin before 1.7.1, institutions-directory WordPress plugin before 1.3.1, lawyer-directory WordPress plugin before 1.2.9, doctor-listing WordPress plugin before 1.3.6, Hotel Listing WordPress plugin before 1.3.7, fitness-trainer WordPress plugin before 1.4.1, wp-membership WordPress plugin before 1.5.7, sold by the same developer (e-plugins), do not implementing any security measures in some AJAX calls. For example in the file plugin.php, the function iv_directories_update_profile_setting() uses update_user_meta with any data provided by the ajax call, which can be used to give the logged in user admin capabilities. Since the plugins allow user registration via a custom form (even if the blog does not allow users to register) it makes any site using it vulnerable.
Multiple plugins by the vendor E-plugins are vulnerable to privilege escalation due to insufficient restriction on several functions called via AJAX actions that set a user's role based on supplied role information. This makes it possible authenticated, subscriber-level and above attackers to elevate their privileges to that of an administrator.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2023-03-06 CVE Reserved
- 2023-03-06 CVE Published
- 2025-02-19 CVE Updated
- 2025-02-19 First Exploit
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-266: Incorrect Privilege Assignment
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://codecanyon.net/user/e-plugins | Product |
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/d079cb16-ead5-4bc8-b0b8-4a4dc2a54c96 | 2025-02-19 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| E-plugins Search vendor "E-plugins" | Directory Pro Search vendor "E-plugins" for product "Directory Pro" | < 1.9.5 Search vendor "E-plugins" for product "Directory Pro" and version " < 1.9.5" | wordpress |
Affected
| ||||||
| E-plugins Search vendor "E-plugins" | Final User Search vendor "E-plugins" for product "Final User" | < 1.2.2 Search vendor "E-plugins" for product "Final User" and version " < 1.2.2" | wordpress |
Affected
| ||||||
| E-plugins Search vendor "E-plugins" | Fitness Trainer Search vendor "E-plugins" for product "Fitness Trainer" | < 1.4.1 Search vendor "E-plugins" for product "Fitness Trainer" and version " < 1.4.1" | wordpress |
Affected
| ||||||
| E-plugins Search vendor "E-plugins" | Hospital \& Doctor Directory Search vendor "E-plugins" for product "Hospital \& Doctor Directory" | < 1.3.6 Search vendor "E-plugins" for product "Hospital \& Doctor Directory" and version " < 1.3.6" | wordpress |
Affected
| ||||||
| E-plugins Search vendor "E-plugins" | Hotel Directory Search vendor "E-plugins" for product "Hotel Directory" | < 1.3.7 Search vendor "E-plugins" for product "Hotel Directory" and version " < 1.3.7" | wordpress |
Affected
| ||||||
| E-plugins Search vendor "E-plugins" | Institutions Directory Search vendor "E-plugins" for product "Institutions Directory" | < 1.3.1 Search vendor "E-plugins" for product "Institutions Directory" and version " < 1.3.1" | wordpress |
Affected
| ||||||
| E-plugins Search vendor "E-plugins" | Lawyer Directory Search vendor "E-plugins" for product "Lawyer Directory" | < 1.2.9 Search vendor "E-plugins" for product "Lawyer Directory" and version " < 1.2.9" | wordpress |
Affected
| ||||||
| E-plugins Search vendor "E-plugins" | Photographer-directory Search vendor "E-plugins" for product "Photographer-directory" | < 1.0.9 Search vendor "E-plugins" for product "Photographer-directory" and version " < 1.0.9" | wordpress |
Affected
| ||||||
| E-plugins Search vendor "E-plugins" | Producer-retailer Search vendor "E-plugins" for product "Producer-retailer" | - | wordpress |
Affected
| ||||||
| E-plugins Search vendor "E-plugins" | Real Estate Pro Search vendor "E-plugins" for product "Real Estate Pro" | < 1.7.1 Search vendor "E-plugins" for product "Real Estate Pro" and version " < 1.7.1" | wordpress |
Affected
| ||||||
| E-plugins Search vendor "E-plugins" | Wp Membership Search vendor "E-plugins" for product "Wp Membership" | < 1.5.7 Search vendor "E-plugins" for product "Wp Membership" and version " < 1.5.7" | wordpress |
Affected
| ||||||