CVE Catalog

CVE-2020-37255

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

31th percentile — higher than 31% of all known CVEs

Summary

The WordPress Time Capsule Plugin version 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the IWP_JSON_PREFIX header. Attackers can exploit this flaw to obtain valid administrator session cookies and access the WordPress dashboard without providing credentials.

Risk Assessment

This vulnerability poses a serious security risk, allowing attackers to take control of the website without needing to log in. It could lead to unauthorized changes to the site content and data breaches.

Recommendation

It is recommended to immediately update the plugin to the latest version to mitigate this vulnerability. Additionally, monitoring access logs for potential attack attempts is advisable.

Original NVD description (English source)

WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the IWP_JSON_PREFIX header. Attackers can exploit this flaw to obtain valid administrator session cookies and access the WordPress dashboard without providing credentials.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS