Lucene search

WordfenceCVE-2020-36769

HistoryDec 23, 2023 - 10:15 a.m.

CVE-2020-36769

2023-12-2310:15:08

CWE-79

Wordfence

web.nvd.nist.gov

widget settings

importer/exporter

wordpress

vulnerability

stored cross-site scripting

xss

nvd

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

EPSS

Percentile

14.0%

JSON

The Widget Settings Importer/Exporter Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wp_ajax_import_widget_dataparameter AJAX action in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with subscriber-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affected configurations

Nvd

Vulners

Node

porternovelliwidget_settings_importer\/exporterRange≤1.5.3wordpress

VendorProductVersionCPE
porternovelliwidget_settings_importer\/exporter*cpe:2.3:a:porternovelli:widget_settings_importer\/exporter:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
porternovelli	widget_settings_importer\/exporter	*	cpe:2.3:a:porternovelli:widget_settings_importer\/exporter::::::wordpress::*

CNA Affected

[
  {
    "vendor": "kevinlangleyjr",
    "product": "Widget Settings Importer/Exporter",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.5.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

www.wordfence.com/blog/2020/04/unpatched-high-severity-vulnerability-in-widget-settings-importer-exporter-plugin/

www.wordfence.com/threat-intel/vulnerabilities/id/e14f0fc6-fca4-4dd7-8f7b-ed5ed535c9af?source=cve