CVE-2020-36919

WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://wordpress.org/plugins/wpforms-lite	Product
https://www.exploit-db.com/exploits/51152	Exploit
https://www.vulncheck.com/advisories/wpforms-cross-site-scripting-xss	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wpforms:wpforms:*:*:*:*:lite:wordpress:*:*

History

29 Jan 2026, 00:50

Type	Values Removed	Values Added
References	~~() https://wordpress.org/plugins/wpforms-lite -~~	() https://wordpress.org/plugins/wpforms-lite - Product
References	~~() https://www.exploit-db.com/exploits/51152 -~~	() https://www.exploit-db.com/exploits/51152 - Exploit
References	~~() https://www.vulncheck.com/advisories/wpforms-cross-site-scripting-xss -~~	() https://www.vulncheck.com/advisories/wpforms-cross-site-scripting-xss - Third Party Advisory
CPE		cpe:2.3:a:wpforms:wpforms:::::lite:wordpress::
First Time		Wpforms wpforms Wpforms

13 Jan 2026, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-13 23:15

Updated : 2026-01-29 00:50

NVD link : CVE-2020-36919

Mitre link : CVE-2020-36919

CVE.ORG link : CVE-2020-36919

JSON object : View

Products Affected

wpforms

wpforms

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2020-36919", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-13T23:15:48.717", "references": [{"url": "https://wordpress.org/plugins/wpforms-lite", "tags": ["Product"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/51152", "tags": ["Exploit"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/wpforms-cross-site-scripting-xss", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser."}], "lastModified": "2026-01-29T00:50:28.337", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wpforms:wpforms:*:*:*:*:lite:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "C2C0B222-34A9-40E4-89E3-937E76944165", "versionEndIncluding": "1.7.8"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}