AccessAlly < 3.3.2 Unauthenticated Arbitrary PHP Code Execution

Advisories

severity: critical
date: January 9, 2026
Affecting: AccessAlly < 3.3.2
CVE: CVE-2020-36875
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: AccessAlly Advisory
WPScan Advisory w/ Exploitation Acknowledgement
Wordfence Advisory
Patchstack Advisory
Credit: Brad Patton
Description: AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of the WordPress web server process, resulting in remote code execution.
VulnCheck KEV: This advisory is in the VulnCheck KEV database