PT-2026-1686 · WordPress · Accessally
Brad Patton
·
Published
2026-01-09
·
Updated
2026-01-09
·
CVE-2020-36875
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
AccessAlly versions prior to 3.3.2
Description
The AccessAlly WordPress plugin contains a flaw where the
login error parameter in the Login Widget is treated as PHP code. This allows a remote attacker to execute arbitrary PHP code within the WordPress web server process, leading to potential remote code execution.Recommendations
Update AccessAlly to version 3.3.2 or later.
Exploit
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Accessally