CVE-2020-36666

The directory-pro WordPress plugin before 1.9.5, final-user-wp-frontend-user-profiles WordPress plugin before 1.2.2, producer-retailer WordPress plugin through TODO, photographer-directory WordPress plugin before 1.0.9, real-estate-pro WordPress plugin before 1.7.1, institutions-directory WordPress plugin before 1.3.1, lawyer-directory WordPress plugin before 1.2.9, doctor-listing WordPress plugin before 1.3.6, Hotel Listing WordPress plugin before 1.3.7, fitness-trainer WordPress plugin before 1.4.1, wp-membership WordPress plugin before 1.5.7, sold by the same developer (e-plugins), do not implementing any security measures in some AJAX calls. For example in the file plugin.php, the function iv_directories_update_profile_setting() uses update_user_meta with any data provided by the ajax call, which can be used to give the logged in user admin capabilities. Since the plugins allow user registration via a custom form (even if the blog does not allow users to register) it makes any site using it vulnerable.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
WPScanCNA
---
---
CVEADP
---
---
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
VendorProductVersion
e-pluginsdirectory_pro
𝑥
< 1.9.5
e-pluginsfinal_user
𝑥
< 1.2.2
e-pluginsfitness_trainer
𝑥
< 1.4.1
e-pluginshospital_\&_doctor_directory
𝑥
< 1.3.6
e-pluginshotel_directory
𝑥
< 1.3.7
e-pluginsinstitutions_directory
𝑥
< 1.3.1
e-pluginslawyer_directory
𝑥
< 1.2.9
e-pluginsphotographer-directory
𝑥
< 1.0.9
e-pluginsproducer-retailer
-
e-pluginsreal_estate_pro
𝑥
< 1.7.1
e-pluginswp_membership
𝑥
< 1.5.7
𝑥
= Vulnerable software versions
References
https://codecanyon.net/user/e-plugins
https://wpscan.com/vulnerability/d079cb16-ead5-4bc8-b0b8-4a4dc2a54c96
https://codecanyon.net/user/e-plugins
https://wpscan.com/vulnerability/d079cb16-ead5-4bc8-b0b8-4a4dc2a54c96