CVE-2020-35937

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

8.0HIGH

EPSS

1.4%

top 19.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pickplugins Post Grid Pickplugins Team Showcase

Timeline

PublishedJan 1

Latest updateMay 24

Description

Stored Cross-Site Scripting (XSS) vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to team_import_xml_layouts.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶NVDpickplugins/team_showcase< 1.22.16

▶NVDpickplugins/post_grid< 2.0.73

🔴Vulnerability Details

GHSA

GHSA-p7xx-frqx-57x6: Stored Cross-Site Scripting (XSS) vulnerabilities in the Team Showcase plugin before 1↗2022-05-24

▶

CVEList

CVE-2020-35937: Stored Cross-Site Scripting (XSS) vulnerabilities in the Team Showcase plugin before 1↗2021-01-01

▶