CVE-2020-36853 in 10WebMapBuilder Plugin
Summary
by MITRE • 10/18/2025
The 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1.0.63 due to insufficient input sanitization and output escaping and a lack of capability checks. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/18/2025
The 10WebMapBuilder plugin for WordPress represents a significant security vulnerability classified as CVE-2020-36853, affecting versions up to and including 1.0.63. This vulnerability manifests as a stored cross-site scripting flaw that exploits the plugin's insufficient input sanitization mechanisms and inadequate output escaping protocols. The security weakness stems from the plugin's failure to properly validate and sanitize user inputs when processing settings changes, creating an avenue for malicious actors to inject persistent malicious scripts into the WordPress environment. The vulnerability's impact is particularly concerning because it operates without requiring authentication, allowing unauthenticated attackers to exploit the flaw and potentially compromise the entire WordPress installation.
The technical exploitation of this vulnerability occurs through the plugin's settings modification interface where attackers can inject malicious JavaScript code that gets stored within the WordPress database. This stored payload executes whenever any user accesses pages containing the injected content, making it a persistent threat that can affect multiple users over time. The flaw is directly linked to CWE-79 which describes cross-site scripting vulnerabilities resulting from insufficient input validation and output escaping. The vulnerability's persistence is enhanced by the lack of proper capability checks within the plugin's administrative functions, which should have validated user permissions before accepting and processing settings modifications. This absence of access control validation creates an additional attack vector where unauthorized individuals can manipulate plugin configurations.
The operational impact of CVE-2020-36853 extends beyond simple script injection, potentially enabling attackers to perform session hijacking, defacement of website content, data theft, and privilege escalation within the WordPress environment. Attackers could leverage this vulnerability to execute malicious scripts that steal cookies, redirect users to phishing sites, or even install additional malware. The stored nature of the XSS payload means that the attack can persist even after the initial exploitation, continuously affecting all users who access affected pages. This vulnerability aligns with ATT&CK technique T1566.001 which covers the exploitation of web applications through the injection of malicious code, and represents a critical risk for WordPress administrators who may not immediately detect the compromise due to the stealthy nature of stored XSS attacks.
Mitigation strategies for this vulnerability require immediate action including updating the 10WebMapBuilder plugin to version 1.0.64 or later, which contains the necessary input sanitization and output escaping fixes. System administrators should implement comprehensive monitoring of plugin settings changes and conduct regular security audits of WordPress installations to detect unauthorized modifications. Additionally, implementing web application firewalls and content security policies can provide additional layers of protection against similar vulnerabilities. The vulnerability highlights the importance of proper input validation and output escaping practices as recommended in OWASP Top Ten and the principle of least privilege in access control implementations. Organizations should also consider implementing automated patch management systems to ensure timely updates of all WordPress plugins and themes, as this vulnerability demonstrates how outdated software components can expose entire web applications to persistent security threats.