CVE-2020-36852
Published: 01 October 2025
Summary
CVE-2020-36852 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordfence (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2020-36852 is a critical vulnerability in the Custom Searchable Data Entry System plugin for WordPress, affecting versions up to and including 1.7.1. It stems from a missing capability check and insufficient validation in the ghazale_sds_delete_entries_table_row() function, enabling unauthenticated database wiping. Attackers can completely delete key database tables, such as wp_users, resulting in a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and mapping to CWE-862 (Missing Authorization).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By invoking the vulnerable function, they achieve high-impact integrity and availability disruption, potentially wiping entire database tables and rendering the site inoperable, including loss of user data.
Wordfence advisories, referenced in the top sources, highlight active exploitation attempts against this zero-day vulnerability. Security practitioners should review the detailed threat intelligence and blog post for indicators of compromise and recommended mitigations, such as plugin deactivation or upgrade if available beyond version 1.7.1.
This vulnerability saw real-world active attacks as a zero-day, per Wordfence reporting from March 2020, underscoring the risks of unpatched WordPress plugins.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-32898
Vulnerability details
The Custom Searchable Data Entry System plugin for WordPress is vulnerable to unauthenticated database wiping in versions up to, and including 1.7.1, due to a missing capability check and lack of sufficient validation on the ghazale_sds_delete_entries_table_row() function. This makes it…
more
possible for unauthenticated attackers to completely wipe database tables such as wp_users.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin directly enables remote unauthenticated exploitation (T1190) resulting in arbitrary database table deletion (T1485).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations, directly addressing the missing capability check that allows unauthenticated database wiping.
Requires validation of inputs to the ghazale_sds_delete_entries_table_row() function, mitigating the lack of sufficient validation exploited for table deletion.
Mandates identification, prioritization, and correction of flaws like this plugin vulnerability, preventing exploitation through timely remediation.