Security Alert Summary
The AccessAlly WordPress plugin contains an unauthenticated arbitrary PHP code execution vulnerability in its Login Widget. Versions prior to 3.3.2 process the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of the WordPress web server process, potentially resulting in remote code execution.
CVE Details
- CVE ID:
CVE-2020-36875 - Affected plugin / component: AccessAlly WordPress plugin — Login Widget
- Affected versions: Versions prior to 3.3.2
- Published: January 9, 2026 at 5:15:50 PM
- Last modified: January 9, 2026 at 7:16:02 PM
- CVSS (version 4.0) base score: 9.3 — CRITICAL
- CVSS vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X - Authentication requirements: None
- Privileges required: None
- User interaction: None
- Primary impact: Confidentiality: High; Integrity: High; Availability: High
- CWE / weakness: CWE-94 (Improper Control of Generation of Code)
Technical Details
According to the CVE entry, the Login Widget in the AccessAlly plugin processes the login_error parameter as PHP code. Because this input is evaluated as PHP without required authentication, privileges, or user interaction, an attacker can supply arbitrary PHP and have it executed by the web server process running WordPress. The vulnerability results in remote code execution through this parameter handling behavior.
The core issue is execution of attacker-controlled input as PHP (CWE-94). The CVE description names the Login Widget and the login_error parameter as the vector; no additional endpoints or functions are specified in the provided data.
How This Could Impact Your Website
In a realistic scenario, an unauthenticated remote attacker could exploit the Login Widget vulnerability to run arbitrary PHP on your server. For a small business WordPress site this could mean unauthorized access to site data, modification or deletion of content, or interruption of site availability. Internal staff accounts and external contractors who rely on the site could have their data exposed or altered, and site owners may face operational disruption while investigating and restoring the site.
Exposure of internal user email addresses or other sensitive data could increase the risk of targeted phishing or social engineering aimed at staff or contractors. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin to version 3.3.2 or later if you are running a prior version.
- Review and reduce unnecessary user roles, especially contributor-level and other write-capable roles.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior (unexpected file changes, new admin users, or suspicious requests to login-related endpoints).
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.