CVE-2020-36875
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-09

Last updated on: 2026-01-09

Assigner: VulnCheck

Description
AccessAlly WordPress plugin versions prior toΒ 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of the WordPress web server process, resulting in remote code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-09
Last Modified
2026-01-09
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2020-36875
EUVD
EUVD-2026-1714
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
accessally accessally to 3.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2020-36875 is a critical security vulnerability in the AccessAlly WordPress plugin versions prior to 3.3.2. It exists in the Login Widget where the plugin improperly processes the 'login_error' parameter as PHP code. This flaw allows an unauthenticated attacker to supply and execute arbitrary PHP code remotely on the affected server within the context of the WordPress web server process, leading to remote code execution. [1, 2, 3]

Impact Analysis

This vulnerability can have severe impacts as it allows unauthenticated remote attackers to execute arbitrary PHP code on the server hosting the vulnerable AccessAlly plugin. This can lead to full compromise of the web server, unauthorized access to sensitive data, modification or deletion of data, installation of malware, and potentially taking control of the entire WordPress site and underlying server. [2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for suspicious HTTP requests to the WordPress login URL that include the 'login_error' parameter containing PHP code. A common detection method is to inspect web server logs for requests with unusual or encoded PHP code in the 'login_error' parameter. For example, using command-line tools like grep to search access logs: grep 'login_error' /var/log/apache2/access.log or grep 'login_error' /var/log/nginx/access.log. Additionally, tools like WPScan can be used to scan WordPress plugins for known vulnerabilities including this one. [2, 3]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the AccessAlly WordPress plugin to version 3.3.2 or later, where the vulnerability has been fixed by removing the capability to execute PHP code via the 'login_error' parameter. If you rely on the PHP execution feature, consider replacing the plugin with an alternative designed for safely running PHP code. Additionally, restricting access to the login page and monitoring for suspicious activity can help reduce risk until the update is applied. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-36875. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart