Epsilon Framework Themes (Various Versions) - Function Injection

9.8
Improper Control of Generation of Code ('Code Injection')
CVE CVE-2020-36708
CVSS 9.8 (Critical)
Publicly Published October 1, 2020
Last Updated June 7, 2023
Researcher Jerome Bruandet - NinTechNet

Description

The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4. This is due to epsilon_framework_ajax_action. This makes it possible for unauthenticated attackers to call functions and achieve remote code execution.

Wordfence blocked 8,684 attacks targeting this vulnerability in the past 24 hours.

References

Share

16 affected software packages

Software Type Theme
Software Slug activello (view on wordpress.org)
Patched? Yes
Remediation Update to version 1.4.2, or a newer patched version
Affected Version
  • <= 1.4.0
Patched Version
  • 1.4.2
Software Type Theme
Software Slug affluent (view on wordpress.org)
Patched? Yes
Remediation Update to version 1.1.2, or a newer patched version
Affected Version
  • <= 1.1.0
Patched Version
  • 1.1.2
Software Type Theme
Software Slug allegiant (view on wordpress.org)
Patched? Yes
Remediation Update to version 1.2.6, or a newer patched version
Affected Version
  • <= 1.2.2
Patched Version
  • 1.2.6
Software Type Theme
Software Slug antreas (view on wordpress.org)
Patched? Yes
Remediation Update to version 1.0.7, or a newer patched version
Affected Version
  • <= 1.0.2
Patched Version
  • 1.0.7
Software Type Theme
Software Slug bonkers (view on wordpress.org)
Patched? Yes
Remediation Update to version 1.0.6, or a newer patched version
Affected Version
  • <= 1.0.4
Patched Version
  • 1.0.6
Software Type Theme
Software Slug brilliance (view on wordpress.org)
Patched? Yes
Remediation Update to version 1.3.0, or a newer patched version
Affected Version
  • <= 1.2.7
Patched Version
  • 1.3.0
Software Type Theme
Software Slug illdy (view on wordpress.org)
Patched? Yes
Remediation Update to version 2.1.7, or a newer patched version
Affected Version
  • <= 2.1.4
Patched Version
  • 2.1.7
Software Type Theme
Software Slug medzone-lite (view on wordpress.org)
Patched? Yes
Remediation Update to version 1.2.6, or a newer patched version
Affected Version
  • <= 1.2.4
Patched Version
  • 1.2.6
Software Type Theme
Software Slug naturemag-lite (view on wordpress.org)
Patched? Yes
Remediation Update to version 1.0.5, or a newer patched version
Affected Version
  • <= 1.0.4
Patched Version
  • 1.0.5
Software Type Theme
Software Slug newsmag (view on wordpress.org)
Patched? Yes
Remediation Update to version 2.4.2, or a newer patched version
Affected Version
  • <= 2.4.1
Patched Version
  • 2.4.2
Software Type Theme
Software Slug newspaper-x (view on wordpress.org)
Patched? Yes
Remediation Update to version 1.3.2, or a newer patched version
Affected Version
  • <= 1.3.1
Patched Version
  • 1.3.2
Software Type Theme
Software Slug pixova-lite (view on wordpress.org)
Patched? Yes
Remediation Update to version 2.0.7, or a newer patched version
Affected Version
  • <= 2.0.5
Patched Version
  • 2.0.7
Software Type Theme
Software Slug regina-lite (view on wordpress.org)
Patched? Yes
Remediation Update to version 2.0.6, or a newer patched version
Affected Version
  • <= 2.0.4
Patched Version
  • 2.0.6
Software Type Theme
Software Slug shapely (view on wordpress.org)
Patched? Yes
Remediation Update to version 1.2.9, or a newer patched version
Affected Version
  • <= 1.2.7
Patched Version
  • 1.2.9
Software Type Theme
Software Slug sparkling (view on wordpress.org)
Patched? Yes
Remediation Update to version 2.4.9, or a newer patched version
Affected Version
  • <= 2.4.8
Patched Version
  • 2.4.9
Software Type Theme
Software Slug transcend (view on wordpress.org)
Patched? Yes
Remediation Update to version 1.2.0, or a newer patched version
Affected Version
  • <= 1.1.8
Patched Version
  • 1.2.0

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation