CVE-2020-36755 in Customizr Themeinfo

Summary

by MITRE • 10/25/2023

The Customizr theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.3.0. This is due to missing or incorrect nonce validation on the czr_fn_post_fields_save() function. This makes it possible for unauthenticated attackers to post fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/10/2026

The CVE-2020-36755 vulnerability affects the Customizr WordPress theme, specifically versions up to and including 4.3.0, exposing a critical cross-site request forgery flaw that compromises the security integrity of affected websites. This vulnerability stems from inadequate nonce validation within the czr_fn_post_fields_save() function, which serves as a critical security mechanism designed to prevent unauthorized actions from being executed on behalf of authenticated users. The absence of proper nonce verification creates a pathway for malicious actors to manipulate the theme's functionality through forged requests that appear legitimate to the WordPress system.

The technical implementation of this vulnerability demonstrates a fundamental failure in the theme's security architecture where the czr_fn_post_fields_save() function lacks proper validation of request authenticity. Nonce values are cryptographic tokens that ensure actions performed on a WordPress site originate from legitimate sources and are not subject to manipulation by unauthorized parties. Without proper nonce validation, an attacker can construct malicious requests that bypass the authentication checks typically required for administrative actions. This flaw directly violates the principle of least privilege and demonstrates poor input validation practices that are commonly addressed in security frameworks such as the OWASP Top Ten.

The operational impact of this vulnerability extends beyond simple data manipulation, as it allows unauthenticated attackers to perform actions that would normally require administrator privileges. When an administrator visits a malicious website or clicks on a crafted link, the forged request can execute unintended operations within the vulnerable WordPress installation, potentially leading to complete compromise of the site. This type of attack vector aligns with the attack pattern described in the MITRE ATT&CK framework under technique T1566 for credential access through social engineering. The vulnerability essentially transforms any administrator into a unwitting proxy for malicious activities, making it particularly dangerous for websites that rely on the Customizr theme for their presentation and functionality.

Organizations affected by this vulnerability should immediately implement mitigation strategies to protect their WordPress installations from exploitation. The primary recommendation involves updating to a patched version of the Customizr theme where nonce validation has been properly implemented in the czr_fn_post_fields_save() function. Security administrators should also consider implementing additional protective measures such as monitoring for unusual administrative activities and ensuring that all users, particularly administrators, receive security training to recognize potential social engineering attempts. The vulnerability highlights the importance of proper security testing and code review practices, particularly for theme developers who handle user input and administrative functions. This issue serves as a reminder that even seemingly minor security oversights in theme development can have significant consequences for entire WordPress installations, emphasizing the need for comprehensive security assessments and adherence to security standards such as those defined in the CWE catalog under category CWE-352 for Cross-Site Request Forgery.

Responsible

Wordfence

Reservation

07/11/2023

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00397

KEV

no

Activities

low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!