WordPress Plugin Vulnerabilities

Async Javascript < 2.20.02.27 - Subscriber+ Stored XSS via Plugin Settings Change

Description

Async JavaScript’s settings are modified via calls to wp-admin/admin-ajax.php with the action aj_steps. This AJAX action is registered only for authenticated users, but no capabilities checks are made. Because of this, low-privilege users including Subscribers can modify the plugin’s settings.

Affects Plugins

Plugin icon
async-javascript
Fixed in 2.20.02.27

References

URL
https://www.wordfence.com/blog/2020/02/site-takeover-campaign-exploits-multiple-zero-day-vulnerabilities/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
Sean Murphy, QA Lead Matt Rusnak, and QA Engineer Ramuel Gall (Wordfence)
Verified
No
WPVDB ID
e36be0c1-de61-407b-95a6-ebb340bf29b3

Timeline

Publicly Published
2020-02-27 (about 6 years ago)
Added
2020-02-28 (about 6 years ago)
Last Updated
2020-02-29 (about 6 years ago)

Other

Published
Title
Published
2025-09-22
Title
Genealogical Tree <= 2.2.6 - Contributor+ Stored XSS
Published
2025-11-26
Title
Houzez < 4.1.7 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload
Published
2021-09-20
Title
Page Generator < 1.5.9 - Reflected Cross-Site Scripting
Published
2024-12-13
Title
Companion Portfolio – Responsive Portfolio Plugin <= 2.4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-03-21
Title
Easy Custom Admin Bar <= 1.0 - Reflected Cross-Site Scripting via msg Parameter