WordPress Plugin Vulnerabilities

Visual Composer < 27.0 - Multiple Authenticated Cross-Site Scripting Issues

Description

Jerome Braundet from NinTechNet, discovered multiple Stored Cross-Site Scripting issues, which could allow users with the contributor and above roles to inject arbitrary JavaScript in the blog.

Affects Plugins

Plugin icon
visualcomposer
Fixed in 27.0

References

CVE
CVE-2020-36722
URL
https://blog.nintechnet.com/multiple-xss-vulnerabilities-fixed-in-wordpress-visual-composer-plugin/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.7 (high)

Miscellaneous

Original Researcher
Jerome Bruandet (NinTechNet)
Verified
No
WPVDB ID
9fe4340b-5dfa-4fd0-a100-516e4181020e

Timeline

Publicly Published
2020-05-18 (about 5 years ago)
Added
2020-05-18 (about 5 years ago)
Last Updated
2023-06-08 (about 2 years ago)

Other

Published
Title
Published
2024-11-22
Title
Custom Field Manager <= 1.0 - Reflected XSS Vulnerability
Published
2022-09-30
Title
CRM Perks Forms < 1.1.1 - Reflected XSS
Published
2021-10-18
Title
Active Directory Integration / LDAP Integration < 3.6.95 - Reflected Cross-Site Scripting
Published
2024-08-07
Title
ParcelPanel < 4.3.3 - Reflected Cross-Site Scripting
Published
2025-01-24
Title
Flexmls® IDX Plugin < 3.14.27 - Authenticated (Contributor+) Stored Cross-Site Scripting via API parameters