How to fix CVE-2020-36849?

Within 24 hours: Identify all WordPress instances using the vulnerable plugin and disable the plugin immediately, or if functionality is required, restrict access to the upload feature via Web Application Firewall rules to trusted IPs only. Within 7 days: Either uninstall the plugin entirely and identify alternative solutions, or contact the vendor for a security update timeline and escalate for executive approval on risk acceptance if continued use is necessary. Within 30 days: Implement a WordPress plugin governance policy requiring security assessments before deployment and automated vulnerability scanning for all plugins.

Is PHP affected by CVE-2020-36849?

Organizations using the AIT CSV Import/Export WordPress plugin (versions up to 3.0.3) face critical risk of complete server compromise through arbitrary file uploads.

CVE-2020-36849

EUVD-2020-30798 CRITICAL

2025-07-12 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 08:56 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 08:56 euvd

EUVD-2020-30798

PoC Detected

Mar 04, 2026 - 16:55 vuln.today

Public exploit code

CVE Published

Jul 12, 2025 - 12:15 nvd

CRITICAL 9.8

Description

The AIT CSV import/export plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-content/plugins/ait-csv-import-export/admin/upload-handler.php file in versions up to, and including, 3.0.3. This makes it possible for unauthorized attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

Analysis

The AIT CSV Import/Export WordPress plugin through version 3.0.3 allows unauthorized arbitrary file uploads without file type validation. The upload handler in upload-handler.php is accessible without authentication, enabling remote attackers to deploy PHP webshells and achieve code execution on the WordPress server.

Technical Context

The upload-handler.php in the plugin's admin directory processes file uploads without requiring WordPress authentication or validating file types. The file is stored in a web-accessible location. An attacker can upload a PHP file and access it directly to execute arbitrary code.

Affected Products

['AIT CSV Import/Export for WordPress <= 3.0.3']

Remediation

Remove the AIT CSV Import/Export plugin. If removal is not possible, block access to upload-handler.php at the web server level. Scan the uploads directory for PHP files and remove any found.

Priority Score

141

Low Medium High Critical

KEV: 0

EPSS: +72.2

CVSS: +49

POC: +20

CVE-2020-36849 vulnerability details – vuln.today

Back

CVE-2020-36849

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2020-36849

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code