CVE-2020-36702: 
NixOS vulnerability analysis and mitigation

The Ultimate Addons for Gutenberg plugin (also known as Spectra) for WordPress was identified with a security vulnerability (CVE-2020-36702) affecting versions up to and including 1.14.7. The vulnerability was discovered and publicly disclosed on March 30, 2020. This security issue impacts WordPress installations using the affected plugin versions (NVD, WordFence).

The vulnerability is classified as a Missing Authorization issue (CWE-862) due to missing capability checks on several AJAX actions. The severity of this vulnerability has been assessed with a CVSS v3.1 Base Score of 4.3 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, while WordFence assessed it at 5.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L (NVD).

The vulnerability allows authenticated attackers with subscriber-level permissions or higher to modify the plugin's settings. This unauthorized access to plugin settings could potentially lead to changes in website functionality and security configurations (NVD).

The vulnerability was patched in version 1.14.8 of the Ultimate Addons for Gutenberg plugin. Website administrators are advised to update to this version or later to mitigate the security risk (WPScan).