CVE-2020-36875
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2020-36875, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-09

Last updated on: 2026-01-09

Assigner: VulnCheck

Description

AccessAlly WordPress plugin versions prior toΒ 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of the WordPress web server process, resulting in remote code execution.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-09
Last Modified
2026-01-09
Generated
2026-07-06
AI Q&A
2026-01-10
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
accessally accessally to 3.3.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2020-36875 is a critical security vulnerability in the AccessAlly WordPress plugin versions prior to 3.3.2. It exists in the Login Widget where the plugin improperly processes the 'login_error' parameter as PHP code. This flaw allows an unauthenticated attacker to supply and execute arbitrary PHP code remotely on the affected server within the context of the WordPress web server process, leading to remote code execution. [1, 2, 3]

Impact Analysis

This vulnerability can have severe impacts as it allows unauthenticated remote attackers to execute arbitrary PHP code on the server hosting the vulnerable AccessAlly plugin. This can lead to full compromise of the web server, unauthorized access to sensitive data, modification or deletion of data, installation of malware, and potentially taking control of the entire WordPress site and underlying server. [2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for suspicious HTTP requests to the WordPress login URL that include the 'login_error' parameter containing PHP code. A common detection method is to inspect web server logs for requests with unusual or encoded PHP code in the 'login_error' parameter. For example, using command-line tools like grep to search access logs: grep 'login_error' /var/log/apache2/access.log or grep 'login_error' /var/log/nginx/access.log. Additionally, tools like WPScan can be used to scan WordPress plugins for known vulnerabilities including this one. [2, 3]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the AccessAlly WordPress plugin to version 3.3.2 or later, where the vulnerability has been fixed by removing the capability to execute PHP code via the 'login_error' parameter. If you rely on the PHP execution feature, consider replacing the plugin with an alternative designed for safely running PHP code. Additionally, restricting access to the login page and monitoring for suspicious activity can help reduce risk until the update is applied. [1, 2, 3]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-36875. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart