CVE-2020-36755
The Customizr theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.3.0. This is due to missing or incorrect nonce validation on the czr_fn_post_fields_save() function. This makes it possible for unauthenticated attackers to post fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
We have discovered 466 live websites that are affected by CVE-2020-36755.
Affected Software
| Product |  Customizr |
| Category | Wordpress Themes |
| Vulnerable Versions |
|
| Total Vulnerable Versions | 164 |
| Vulnerable Domains | 466 live websites (18.34% of Customizr install base) |
Distribution by Website Rank
The diagram provides a graphic representation of the correlation between the occurrence of CVE-2020-36755 and the relative popularity of websitesDetails
- Published - Oct 20, 2023
- Updated - Oct 20, 2023
Credits
- Jerome Bruandet (finder)
CVE References
CWE References
Countries
 United States | 116 websites |
 Germany | 62 websites |
 France | 54 websites |
 Italy | 24 websites |
 Spain | 24 websites |
 GB | 21 websites |
 Netherlands | 16 websites |
 Japan | 15 websites |
 Poland | 15 websites |
 Canada | 12 websites |
TLDs
| .com | 171 websites |
| .org | 50 websites |
| .de | 39 websites |
| .eu | 18 websites |
| .fr | 16 websites |
| .it | 15 websites |
| .net | 13 websites |
| .nl | 12 websites |
| .pl | 10 websites |
| .co.uk | 10 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redGeographical Distribution
The distribution of websites across the globe that are exposed to CVE-2020-36755 through included software libraries and plugins.References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d9f6b600-a35a-49c2-8758-a7cc5c00e947?source=cve
- https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/
- https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/
- https://themes.trac.wordpress.org/browser/customizr/4.3.1/core/czr-admin-ccat.php?rev=135570#L1764
Websites affected by CVE-2020-36755
Top websites that are affected by CVE-2020-36755. Please click on the "Contact us" button above to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.***.edu | United States | ***,*** | |
| ***********.com | United States | ***,*** | |
| ***.********.pl | Poland | ***,*** | |
| ***************.*********.com | United States | ***,*** | |
| ***.**************.com | United States | ***,*** | |
| *******.com | United States | ***,*** | |
| ******.***.za |  South Africa | ***,*** | |
| *******.*****.ca | Canada | ***,*** | |
| ***.****.com | United States | ***,*** | |
| ***.*******.com | France | ***,*** |