CVE-2020-36875

UNKNOWN 0.0

AccessAlly < 3.3.2 Unauthenticated Arbitrary PHP Code Execution

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of the WordPress web server process, resulting in remote code execution.

CWE	CWE-94
Vendor	accessally, inc.
Product	accessally
Published	Jan 9, 2026
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for accessally, inc. accessally

Be the first to know when new unknown vulnerabilities affecting accessally, inc. accessally are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

ACCESSALLY, INC. / AccessAlly

0 < 3.3.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

accessally.com: https://accessally.com/software-release/accessally-3-3-2/ wpscan.com: https://wpscan.com/vulnerability/c644de6d-098d-4889-b75d-53fd2b89ff4d/ vulncheck.com: https://www.vulncheck.com/advisories/accessally-unauthenticated-arbitrary-php-code-execution

Credits

Brad Patton