What is the CVSS score of CVE-2020-36836?

CVE-2020-36836 has a CVSS 3.1 base score of 8.0 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 43.1%.

Which versions of WP Fastest Cache are affected by CVE-2020-36836?

WP Fastest Cache WordPress plugin versions 0.9.0.2 and earlier enable attackers to delete critical server files, directly threatening website uptime and data security.. A patch is available.

Is there a public PoC exploit available for CVE-2020-36836?

Yes, a public proof-of-concept exploit is available for CVE-2020-36836. Prioritise patching immediately. EPSS: 43.1%.

How to fix or mitigate CVE-2020-36836?

Within 24 hours: Audit all WordPress installations to identify those running WP Fastest Cache versions 0.9.0.2 or earlier. Within 7 days: Update all identified instances to the patched release per vendor advisory. Within 30 days: Confirm successful deployment across all systems; reduce user privilege levels where possible; audit file deletion logs for suspicious activity.

WP Fastest Cache CVE-2020-36836

HIGH

Cross-Site Request Forgery (CSRF) (CWE-352)

2024-10-16 security@wordfence.com

WordPress CSRF Wp Fastest Cache

8.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Apr 08, 2026 - 18:22 nvd

Patch available

PoC Detected

Apr 08, 2026 - 18:17 vuln.today

Public exploit code

CVE Published

Oct 16, 2024 - 07:15 nvd

HIGH 8.0

DescriptionNVD

The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized arbitrary file deletion in versions up to, and including, 0.9.0.2 due to a lack of capability checking and insufficient path validation. This makes it possible for authenticated users with minimal permissions to delete arbitrary files from the server.

AnalysisAI

Arbitrary file deletion in the WP Fastest Cache WordPress plugin (versions up to and including 0.9.0.2) allows authenticated low-privileged users to remove arbitrary files from the underlying server due to missing capability checks and inadequate path validation. Publicly available exploit code exists, and the EPSS score of 43.15% (97th percentile) indicates a notably elevated exploitation probability relative to the broader CVE population. The flaw is tagged as CSRF (CWE-352), meaning the deletion action can also be triggered via a forged request against an authenticated victim.

Technical ContextAI

WP Fastest Cache is a widely deployed caching plugin for WordPress (CPE cpe:2.3:a:wpfastestcache:wp_fastest_cache) that generates and manages static cache files on the server filesystem. The plugin exposes administrative-style actions (typically cache invalidation/deletion routines) without enforcing WordPress capability checks (current_user_can) and without validating or canonicalizing user-supplied path parameters. Combined with the CWE-352 (Cross-Site Request Forgery) classification, the deletion endpoint also lacks nonce verification, so the same action can be coerced from an authenticated browser session via a crafted external page. The result is a path traversal-style arbitrary file deletion accessible to any logged-in user (e.g., Subscriber).

RemediationAI

Patch available per vendor advisory: upgrade WP Fastest Cache to a version newer than 0.9.0.2 via the WordPress plugin updater or by replacing the plugin files manually; consult the Wordfence advisory referenced in the CVE record for the exact fixed release. If immediate patching is not feasible, compensating controls include temporarily deactivating the WP Fastest Cache plugin (trade-off: loss of caching and a performance regression on the site), restricting wp-admin and admin-ajax.php access to known IP ranges via web server or WAF rules (trade-off: blocks legitimate remote administrators), and disabling new user self-registration in WordPress general settings to shrink the pool of low-privileged accounts that could abuse the endpoint (trade-off: blocks legitimate community signups). Also ensure file system permissions on wp-config.php and core files limit the WordPress process user's write/delete access where the hosting model allows.

More from same product – last 7 days

CVE-2026-7862 HIGH This Week POC

8.6 May 28

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers t

CVE-2026-6960 CRITICAL Act Now

9.8 May 21

Unauthenticated arbitrary file upload in the BookingPress Pro WordPress plugin (versions ≤5.6) enables remote code execu

CVE-2026-8760 CRITICAL Act Now

9.8 May 27

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic

CVE-2026-42727 CRITICAL Act Now

9.3 May 27

Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl

CVE-2026-42761 CRITICAL Act Now

9.3 May 27

Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and

CVE-2020-36836 vulnerability details – vuln.today

Back

WP Fastest Cache CVE-2020-36836

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code