WordPress Plugin Vulnerabilities

Post Grid < 2.0.73 & Team Showcase < 1.22.16 - Authenticated Stored Cross-Site Scripting (XSS)

Description

Ram Gall from Wordfence discovered an authenticated (subscriber+) Stored Cross-Site Scripting (XSS) vulnerability in the Post Grid and Team Showcase WordPress plugins.

Affects Plugins

Plugin icon
post-grid
Fixed in 2.0.73
Plugin icon
team
Fixed in 1.22.16

References

CVE
CVE-2020-35936
CVE
CVE-2020-35937
URL
https://www.wordfence.com/blog/2020/10/high-severity-vulnerabilities-in-post-grid-and-team-showcase-plugins/
URL
https://plugins.trac.wordpress.org/changeset/2383813/post-grid
URL
https://plugins.trac.wordpress.org/changeset/2383826/team

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Ram Gall (Wordfence)
Verified
No
WPVDB ID
2fa410a8-2b2a-421c-bcab-d5d9dec8b542

Timeline

Publicly Published
2020-10-05 (about 5 years ago)
Added
2020-10-05 (about 5 years ago)
Last Updated
2021-01-03 (about 5 years ago)

Other

Published
Title
Published
2025-05-22
Title
ReDi Restaurant Reservation < 25.0513 - Reflected Cross-Site Scripting
Published
2024-11-08
Title
Luzuk Slider <= 0.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-12-28
Title
Registration Magic < 5.0.1.9 - Reflected Cross-Site Scripting
Published
2025-02-21
Title
Easy Form by AYS < 2.7.0 - Reflected Cross-Site Scripting
Published
2022-09-23
Title
FontMeister <= 1.08 - Reflected Cross-Site Scripting