CVE-2020-36700 in KingComposer Plugin
Summary
by MITRE • 06/07/2023
The Page Builder: KingComposer plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.9.3. This is due to a security nonce being leaked in the '/wp-admin/index.php' page. This makes it possible for authenticated attackers to change arbitrary WordPress options, delete arbitrary files/folders, and inject arbitrary content.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/09/2026
The vulnerability identified as CVE-2020-36700 affects the Page Builder: KingComposer plugin for WordPress, specifically versions up to and including 2.9.3. This represents a critical authorization bypass flaw that fundamentally compromises the security model of WordPress installations using this plugin. The vulnerability stems from a cryptographic nonce being inadvertently exposed within the administrative interface, creating a pathway for malicious actors to escalate their privileges and execute unauthorized operations within the WordPress environment.
The technical implementation of this vulnerability involves the exposure of a security nonce within the wp-admin/index.php page, which serves as a critical component in WordPress's security architecture. This nonce is designed to prevent unauthorized actions by ensuring that requests originate from legitimate administrative sessions. When this nonce becomes accessible to authenticated attackers, it enables them to craft malicious requests that appear legitimate to the WordPress system. The leaked nonce essentially removes the authentication barrier that should protect administrative functions, allowing attackers to perform operations that should be restricted to authorized administrators only.
The operational impact of this vulnerability extends far beyond simple privilege escalation, as it provides attackers with comprehensive control over WordPress installations. Authenticated attackers can modify arbitrary WordPress options, which may include changing core configuration settings, disabling security features, or altering user permissions. The ability to delete arbitrary files and folders creates potential for complete system compromise through file removal or corruption, while content injection capabilities allow for the deployment of malicious code or the modification of website content to serve phishing or malware distribution purposes. This combination of capabilities creates a multi-vector attack surface that can lead to complete system takeover.
From a cybersecurity perspective, this vulnerability aligns with CWE-284, which addresses improper access control, and represents a clear violation of the principle of least privilege in WordPress security architecture. The ATT&CK framework categorizes this issue under privilege escalation techniques, specifically targeting the exploitation of weak access control mechanisms within web applications. Organizations using affected versions of the KingComposer plugin face significant risk of data compromise, service disruption, and potential use as a foothold for further attacks within their network infrastructure.
The recommended mitigation strategy involves immediate upgrade to a patched version of the KingComposer plugin, as provided by the vendor or through official WordPress repositories. System administrators should also implement additional monitoring for suspicious administrative activities and ensure that all WordPress installations maintain current security patches. Network-level defenses should include web application firewalls configured to detect and block unauthorized administrative requests, while regular security audits should verify that no unauthorized modifications have occurred. Organizations should also consider implementing role-based access controls and multi-factor authentication to reduce the impact of potential credential compromise.