CVE-2020-36919 | THREATINT

Description

WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser.

PUBLISHED Reserved 2026-01-03 | Published 2026-01-13 | Updated 2026-01-14 | Assigner VulnCheck

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Any version

affected

Credits

Milad karimi finder

References

www.exploit-db.com/exploits/51152 (ExploitDB-51152) exploit

wordpress.org/plugins/wpforms-lite (WPForms Lite Plugin Homepage) product

www.vulncheck.com/...sories/wpforms-cross-site-scripting-xss (VulnCheck Advisory: WPForms 1.7.8 - Cross-Site Scripting (XSS)) third-party-advisory

cve.org (CVE-2020-36919)

nvd.nist.gov (CVE-2020-36919)

Download JSON