CVE Vulnerability

CVE-2020-35937

Stored Cross-Site Scripting (XSS) vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to team_import_xml_layouts.

6 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.wordfence.com/blog/2020/10/high-severity-vulnerabilities-in-post-grid-and-team-showcase-plugins/ Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:pickplugins:team_showcase:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:pickplugins:post_grid:*:*:*:*:*:wordpress:*:*
Information

Published : 2021-01-01 02:15

Updated : 2021-01-11 09:36

NVD link : CVE-2020-35937

Mitre link : CVE-2020-35937

Products Affected

Pickplugins

Team Showcase

CWE
CWE-79