Epsilon Framework Themes (Various Versions) - Function Injection

Improper Control of Generation of Code ('Code Injection')
CVE CVE-2020-36708
CVSS Critical (9.8)
Publicly Published October 1, 2020
Last Updated January 22, 2024
Researcher Jerome Bruandet
Description

The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4. This is due to epsilon_framework_ajax_action. This makes it possible for unauthenticated attackers to call functions and achieve remote code execution.

References

16 affected software package

Software Type Theme
Software Slug allegiant (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 1.2.2
Patched Version
  • 1.2.6
Software Type Theme
Software Slug naturemag-lite (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 1.0.4
Patched Version
  • 1.0.5
Software Type Theme
Software Slug newsmag (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 2.4.1
Patched Version
  • 2.4.2
Software Type Theme
Software Slug shapely (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 1.2.7
Patched Version
  • 1.2.9
Software Type Theme
Software Slug bonkers (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 1.0.4
Patched Version
  • 1.0.6
Software Type Theme
Software Slug regina-lite (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 2.0.4
Patched Version
  • 2.0.6
Software Type Theme
Software Slug transcend (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 1.1.8
Patched Version
  • 1.2.0
Software Type Theme
Software Slug sparkling (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 2.4.8
Patched Version
  • 2.4.9
Software Type Theme
Software Slug newspaper-x (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 1.3.1
Patched Version
  • 1.3.2
Software Type Theme
Software Slug antreas (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 1.0.2
Patched Version
  • 1.0.7
Software Type Theme
Software Slug affluent (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 1.1.0
Patched Version
  • 1.1.2
Software Type Theme
Software Slug brilliance (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 1.2.7
Patched Version
  • 1.3.0
Software Type Theme
Software Slug activello (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 1.4.0
Patched Version
  • 1.4.2
Software Type Theme
Software Slug illdy (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 2.1.4
Patched Version
  • 2.1.7
Software Type Theme
Software Slug medzone-lite (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 1.2.4
Patched Version
  • 1.2.6
Software Type Theme
Software Slug pixova-lite (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 2.0.5
Patched Version
  • 2.0.7
This record contains material that is subject to copyright

Copyright 2012-2026 Defiant Inc.
License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. License Detail.