CVE-2020-36708: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2020-36708) affects multiple WordPress themes using the Epsilon framework, discovered in 2020. The affected themes include Shapely (<=1.2.7), NewsMag (<=2.4.1), Activello (<=1.4.0), Illdy (<=2.1.4), and several others. The vulnerability stems from an unauthenticated function injection issue in the epsilonframeworkajax_action functionality (NinTechNet Blog, WPScan).

The vulnerability is caused by the lack of capability and CSRF nonce checks in AJAX actions within the Epsilon framework. The epsilonframeworkajaxaction method is accessible to all users, authenticated or not, through WordPress wpajax* and wpajaxnopriv* hooks. The function takes three POST user inputs (class, method, and args) and calls the corresponding class and method with optional arguments without proper security validation (NinTechNet Blog). The vulnerability has received a CVSS v3.1 score of 9.8 (Critical) (Wordfence).

The vulnerability allows unauthenticated attackers to call arbitrary functions and achieve remote code execution. If popular plugins like WooCommerce or Jetpack are installed, attackers could potentially delete all products, drop database tables, or disable security modules (NinTechNet Blog).

Users should immediately update to the fixed versions of the affected themes: Shapely (1.2.9), NewsMag (2.4.2), Activello (1.4.2), Illdy (2.1.7), Allegiant (1.2.6), Newspaper X (1.3.2), Pixova Lite (2.0.7), and others. The NatureMag Lite theme has been removed from the WordPress repository (WPScan).