Cyber Resilience

CVE-2020-36875

CriticalPublic PoCRCE

Published: 09 January 2026

Published
09 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0075 50.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2020-36875 is a critical-severity Code Injection (CWE-94) vulnerability in Accessally (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 50.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context…

more

of the WordPress web server process, resulting in remote code execution.

CWE(s)

Related Threats

CVEs Like This One

CVE-2021-47939Shared CWE-94
CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-26045Shared CWE-94
CVE-2025-33239Shared CWE-94
CVE-2024-11600Shared CWE-94
CVE-2025-41717Shared CWE-94
CVE-2025-67979Shared CWE-94
CVE-2026-28425Shared CWE-94
CVE-2025-21187Shared CWE-94

Affected Assets

Accessally
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References