CVE-2020-36919
Cross-Site Scripting in WPForms Slider Import Allows Script Injection
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpforms | wpforms | 1.7.8 |
| wpforms | wpforms | to 1.7.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-36919 is a reflected Cross-Site Scripting (XSS) vulnerability in WPForms version 1.7.8. It occurs in the slider import search feature and the "tab" parameter within the plugin settings. Attackers can inject malicious JavaScript code through the ListTable.php endpoint, which is then reflected back and executed in the victim's browser without proper sanitization or encoding. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows attackers to execute arbitrary JavaScript code in the browsers of users who visit a crafted URL. This can lead to theft of user credentials, session hijacking, or other malicious actions performed in the context of the affected website, potentially compromising user data and site integrity. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the slider import search feature and the "tab" parameter in the WPForms plugin, specifically targeting the ListTable.php endpoint. You can attempt to inject a script tag, such as `<script>alert("Ex3ptionaL")</script>`, into these parameters and observe if the script executes in the browser, indicating the presence of the reflected XSS vulnerability. For example, you can use curl or a browser to send a request like: `curl 'http://yourwordpresssite/wp-content/plugins/wpforms-lite/includes/admin/ListTable.php?tab=<script>alert(1)</script>'` and check if the script is reflected and executed. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the WPForms plugin to a version later than 1.7.8 where the vulnerability is fixed. If an update is not available, restrict access to the vulnerable ListTable.php endpoint, sanitize and validate input parameters on the server side, and consider disabling the slider import search feature or the affected parameters until a patch is applied. Additionally, educate users to avoid clicking on suspicious links that may exploit this vulnerability. [2, 3]