CVE-2020-36875
CRITICAL EXPLOITEDAccessAlly WordPress Plugin < 3.3.2 - Unauthenticated Remote Code Execution via Login Widget
Title source: llmExploitation Summary
CVE-2020-36875 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of the WordPress web server process, resulting in remote code execution.
References (3)
Core 3
Core References
Various Sources vendor-advisory
patch
https://accessally.com/software-release/accessally-3-3-2/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/accessally-unauthenticated-arbitrary-php-code-execution
Third Party Advisory third-party-advisory
exploit
https://wpscan.com/vulnerability/c644de6d-098d-4889-b75d-53fd2b89ff4d/
Scores
CVSS v4
9.3
EPSS
0.0075
EPSS Percentile
50.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
VulnCheck KEV
2020-01-21
CWE
CWE-94
Status
published
Published
Jan 09, 2026
Tracked Since
Feb 18, 2026