CVE-2020-36666
Published: Mar 27, 2023
Modified: Feb 19, 2025
Description
The directory-pro WordPress plugin before 1.9.5, final-user-wp-frontend-user-profiles WordPress plugin before 1.2.2, producer-retailer WordPress plugin through TODO, photographer-directory WordPress plugin before 1.0.9, real-estate-pro WordPress plugin before 1.7.1, institutions-directory WordPress plugin before 1.3.1, lawyer-directory WordPress plugin before 1.2.9, doctor-listing WordPress plugin before 1.3.6, Hotel Listing WordPress plugin before 1.3.7, fitness-trainer WordPress plugin before 1.4.1, wp-membership WordPress plugin before 1.5.7, sold by the same developer (e-plugins), do not implementing any security measures in some AJAX calls. For example in the file plugin.php, the function iv_directories_update_profile_setting() uses update_user_meta with any data provided by the ajax call, which can be used to give the logged in user admin capabilities. Since the plugins allow user registration via a custom form (even if the blog does not allow users to register) it makes any site using it vulnerable.
| Vendor | Product | Versions |
|---|---|---|
Unknown | directory-pro | affected 0 - < 1.9.5 |
Unknown | final-user-wp-frontend-user-profiles | affected 0 - < 1.2.2 |
Unknown | producer-retailer | affected 0 - <= TODO |
Unknown | photographer-directory | affected 0 - < 1.0.9 |
Unknown | real-estate-pro | affected 0 - < 1.7.1 |
Unknown | institutions-directory | affected 0 - < 1.3.1 |
Unknown | lawyer-directory | affected 0 - < 1.2.9 |
Unknown | doctor-listing | affected 0 - < 1.3.6 |
Unknown | Hotel Listing | affected 0 - < 1.3.7 |
Unknown | fitness-trainer | affected 0 - < 1.4.1 |
Unknown | wp-membership | affected 0 - < 1.5.7 |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now