CVE-2020-36719 in ListingPro Directory & Listing Theme
Summary
by MITRE • 06/07/2023
The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. This is due to a missing capability check on the lp_cc_addons_actions function. This makes it possible for unauthenticated attackers to arbitrarily install, activate and deactivate any plugin.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/09/2026
The vulnerability identified as CVE-2020-36719 affects the ListingPro WordPress directory and listing theme, specifically targeting versions prior to 2.6.1. This represents a critical security flaw that undermines the fundamental security model of WordPress installations. The vulnerability stems from insufficient access control mechanisms within the theme's codebase, creating a pathway for unauthorized actors to manipulate the WordPress plugin ecosystem without proper authentication or authorization. The affected theme's lp_cc_addons_actions function fails to implement necessary capability checks, which should validate user permissions before executing sensitive operations. This oversight allows attackers to exploit the theme's administrative functions from any remote location, bypassing the standard WordPress authentication requirements that normally protect such critical system modifications.
The technical flaw manifests through a missing capability check in the lp_cc_addons_actions function, which serves as a critical control point for managing plugins within the theme's administrative interface. This function should validate that the requesting user possesses the appropriate administrative privileges before permitting plugin installation, activation, or deactivation operations. Without this validation, any unauthenticated user can submit requests to manipulate plugins, effectively granting them administrative control over the WordPress installation's plugin management system. The vulnerability directly maps to CWE-863, which describes the weakness of "Incorrect Authorization" where an actor is able to perform actions they should not be permitted to execute due to insufficient access control validation. This misconfiguration creates a persistent backdoor that remains active as long as the vulnerable theme is installed on the WordPress site.
The operational impact of this vulnerability extends far beyond simple unauthorized plugin manipulation, creating significant risks for WordPress site owners and their users. Attackers can leverage this vulnerability to install malicious plugins that may contain backdoors, data exfiltration tools, or other harmful components that persist even after the initial exploit is completed. The ability to activate and deactivate plugins provides attackers with additional attack surface manipulation capabilities, potentially allowing them to disable security plugins or activate compromised versions of legitimate plugins. This vulnerability enables attackers to establish persistent access to the WordPress installation, potentially leading to full system compromise through the exploitation of additional vulnerabilities or the installation of more sophisticated malware. The lack of authentication requirements means that attackers can exploit this vulnerability continuously without requiring valid credentials, making it particularly dangerous for sites with public-facing interfaces or those that do not properly secure their administrative areas.
Mitigation strategies for this vulnerability should focus on immediate remediation through theme updates to version 2.6.1 or later, where the missing capability checks have been implemented. Site administrators must also implement additional security measures including regular security audits of installed themes and plugins, proper user access controls, and monitoring of administrative activities. The vulnerability demonstrates the importance of implementing proper input validation and access control checks at all levels of web applications, particularly in themes and plugins that provide administrative interfaces. Organizations should also consider implementing web application firewalls to detect and block suspicious plugin management requests, and establish regular security testing procedures to identify similar authorization flaws in other components of their WordPress installations. The ATT&CK framework categorizes this vulnerability under T1059.001 for Command and Scripting Interpreter and T1547.001 for Registry Run Keys / Startup Folder, as attackers can leverage this vulnerability to establish persistent access through plugin manipulation and potentially gain system-level control over affected WordPress installations.