CVE-2020-36701 Explained : Impact and Mitigation

The Page Builder: KingComposer plugin for WordPress is vulnerable to Arbitrary File Uploads in versions up to, and including, 2.9.3, allowing authenticated users to upload arbitrary files onto the server.

Understanding CVE-2020-36701

The vulnerability in the KingComposer plugin poses a risk of arbitrary file uploads, potentially leading to code execution on the server.

What is CVE-2020-36701?

The CVE-2020-36701 vulnerability affects the Page Builder: KingComposer plugin for WordPress, enabling authenticated users to upload arbitrary files onto the server.

The Impact of CVE-2020-36701

This vulnerability can be exploited by users with author-level permissions and above, leading to arbitrary file uploads and potential code execution on the server.

Technical Details of CVE-2020-36701

The technical details of the CVE-2020-36701 vulnerability in the KingComposer plugin.

Vulnerability Description

The vulnerability allows authenticated users to upload arbitrary files via the 'process_bulk_action' function in the 'kingcomposer/includes/kc.extensions.php' file.

Affected Systems and Versions

Vendor: kingthemes
Product: Page Builder: KingComposer
Versions affected: Up to and including 2.9.3

Exploitation Mechanism

The vulnerability can be exploited by authenticated users with author-level permissions and above to upload malicious files onto the server.

Mitigation and Prevention

Steps to mitigate and prevent the CVE-2020-36701 vulnerability.

Immediate Steps to Take

Update the KingComposer plugin to version 2.9.4 or later.
Restrict user permissions to minimize the risk of unauthorized file uploads.

Long-Term Security Practices

Regularly monitor and audit file uploads on the server.
Educate users on safe file upload practices.

Patching and Updates

Ensure timely installation of security patches and updates for the KingComposer plugin.