Vulnerability Description
The Widget Settings Importer/Exporter Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wp_ajax_import_widget_dataparameter AJAX action in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with subscriber-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Porternovelli | Widget Settings Importer\/Exporter | <= 1.5.3 |
Related Weaknesses (CWE)
References
- https://www.wordfence.com/blog/2020/04/unpatched-high-severity-vulnerability-in-ExploitThird Party Advisory
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e14f0fc6-fca4-4dd7-8f7Third Party Advisory
- https://www.wordfence.com/blog/2020/04/unpatched-high-severity-vulnerability-in-ExploitThird Party Advisory
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e14f0fc6-fca4-4dd7-8f7Third Party Advisory
FAQ
What is CVE-2020-36769?
CVE-2020-36769 is a vulnerability with a CVSS score of 7.4 (HIGH). The Widget Settings Importer/Exporter Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wp_ajax_import_widget_dataparameter AJAX action in versions up to, and including, 1.5.3...
How severe is CVE-2020-36769?
CVE-2020-36769 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-36769?
Check the references section above for vendor advisories and patch information. Affected products include: Porternovelli Widget Settings Importer\/Exporter.