CVE Alert: CVE-2020-36853 – 10web – 10Web Map Builder for Google Maps
CVE-2020-36853
The 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1.0.63 due to insufficient input sanitization and output escaping and a lack of capability checks. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Summary Analysis
Risk verdict
High risk: unauthenticated stored cross-site scripting could be triggered remotely and execute in visitors’ browsers if left unpatched; patch promptly.
Why this matters
An attacker could inject scripts that run in any user’s session, enabling defacement, cookie theft or session hijacking, and potentially broader site compromise. With no user interaction required, automated exploitation campaigns are feasible against publicly reachable sites.
Most likely attack path
- Network-accessible vector requiring no authentication (PR:N, UI:N).
- Exploitation hinges on insufficient input sanitisation and missing capability checks in the vulnerable settings handler.
- Due to scope-change implications, the stored payload could affect pages beyond the immediate plugin area, enabling script execution for any user loading an injected page.
Who is most exposed
WordPress sites that directly deploy the affected plugin, especially those with public-facing maps content and weaker access controls (common in shared hosting or managed WordPress environments).
Detection ideas
- Alerts for new or unusual inline script content on pages served to visitors.
- Logs showing suspicious activity targeting plugin settings or settings-change endpoints.
- Repeated or unusual payload-like input in settings forms.
- WAF/IPS signals for stored XSS payloads or common XSS vectors in page output.
- User reports of unexpected browser behaviour after visiting pages.
Mitigation and prioritisation
- Apply the vendor patch to the fixed version (or remove the plugin if not needed).
- Enforce strict input validation, output escaping, and correct permission checks around the settings UI.
- Implement a web application firewall rule set to block common XSS patterns; enable a strong Content Security Policy.
- Schedule patching in the next maintenance window with testing in a staging environment.
- Review asset inventory and monitor for attempted exploit indicators; consider compensating controls for public-facing map content.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
