CVE-2020-36719

CRITICAL EXPLOITED NUCLEI

ListingPro - WordPress Directory & Listing Theme <2.6.1 - Command I...

Title source: llm

Description

The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. This is due to a missing capability check on the lp_cc_addons_actions function. This makes it possible for unauthenticated attackers to arbitrarily install, activate and deactivate any plugin.

Nuclei Templates (1)

ListingPro < 2.6.1 - Arbitrary Plugin Installation/Activation/Deactivation
CRITICALVERIFIEDby ritikchaddha
FOFA: body="/wp-content/plugins/listingpro"

References (3)

Scores

CVSS v3 9.8
EPSS 0.7430
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2020-12-17
CWE
CWE-862
Status published
Products (2)
None/ListingPro - WordPress Directory & Listing Theme < 2.6.1
cridio/listingpro < 2.6.1
Published Jun 07, 2023
Tracked Since Feb 18, 2026