CVE-2020-36875 CRITICAL

CVE-2020-36875: AccessAlly < 3.3.2 Unauthenticated Arbitrary PHP Code Execution

Vendor Accessally, Inc.
Product AccessAlly
Weakness CWE-94 · Code injection
Published January 9, 2026
Last update March 5, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of the WordPress web server process, resulting in remote code execution.

Explanation of Vulnerability in Simple Terms

02Summary

AccessAlly versions before 3.3.2 contain a code injection vulnerability that allows unauthenticated attackers to execute arbitrary code on affected sites. The vulnerability exists in how the product processes user input without proper validation or sanitization. An attacker can exploit this remotely without requiring authentication or user interaction.

What an attacker can do

03Attacker Capabilities

Run their own code on the site to steal data, modify content, or take control of the installation.

Potential impact on your site

04Site Impact

Complete compromise of the site and any data it stores; attacker can modify or delete content and user accounts.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

January 9, 2026 CVE published
March 5, 2026 Record updated