XSS Vulnerability in WP Lead Plus X Plugin for WordPress
CVE-2020-11508

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Lead Plus X
Vendor: CVE Published:; 7 April 2020

Summary

The WP Lead Plus X plugin for WordPress is susceptible to an XSS vulnerability that enables authenticated users with minimal permissions to create or overwrite existing pages. This is accomplished by injecting arbitrary JavaScript code through the wp_ajax_core37_lp_save_page AJAX action, which could potentially lead to malicious exploits on the site. Proper sanitization and access control measures are needed to mitigate this issue.

References

https://www.wordfence.com/blog/2020/04/critical-vulnerabi...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 7, 2020
Vulnerability Reserved
Apr 3, 2020