XSS in Brainstormforce Spectra

CVE-2020-36656

The Spectra WordPress plugin before 1.15.0 does not sanitize user input as it reaches its style HTML attribute, allowing contributors to conduct stored XSS attacks via the plugin's Gutenberg blocks.

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.005 (39.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.4 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.

Affected products

Weakness classification (CWE)

Public proof-of-concept exploits

References

  • contact@wpscan.com (Exploit, technical-description, Third Party Advisory, exploit, vdb-entry)

Frequently asked questions

What is CVE-2020-36656?
CVE-2020-36656 is a medium-severity vulnerability in Brainstormforce Spectra, classified under Cross-site Scripting. CVSS score: 5.4/10. Published 2023-02-21.
How severe is CVE-2020-36656?
Medium severity. CVSS v3 base score is 5.4 out of 10.
Is CVE-2020-36656 known to be exploited?
1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.