CVE-2020-36853
published 2025-10-18CVE-2020-36853: The 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1.0.63 due…
PriorityP279high7.2CVSS 3.1
AVNACLPRNUINSCCLILAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.35%
26.6th percentile
The 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1.0.63 due to insufficient input sanitization and output escaping and a lack of capability checks. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 10web | 10web_map_builder_for_google_maps | < 1.0.64 | 1.0.64 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gx97-gg4r-qw22: The 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1
ghsa_unreviewed·2025-10-18
CVE-2020-36853 [HIGH] CWE-79 GHSA-gx97-gg4r-qw22: The 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1
The 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1.0.63 due to insufficient input sanitization and output escaping and a lack of capability checks. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulnCheck
10web map_builder_for_google_maps Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2020·CVSS 7.2
CVE-2020-36853 [HIGH] 10web map_builder_for_google_maps Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
10web map_builder_for_google_maps Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1.0.63 due to insufficient input sanitization and output escaping and a lack of capability checks. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected: 10web map_builder_for_google_maps
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/blog/2020/02/site-takeove
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-18
Published
Exploited in the wild