cbcvebase.
CVE-2020-36853
published 2025-10-18

CVE-2020-36853: The 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1.0.63 due…

PriorityP279high7.2CVSS 3.1
AVNACLPRNUINSCCLILAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.35%
26.6th percentile
The 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1.0.63 due to insufficient input sanitization and output escaping and a lack of capability checks. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affected

1 ranges
VendorProductVersion rangeFixed in
10web10web_map_builder_for_google_maps< 1.0.641.0.64

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.