XSS in Brainstormforce Spectra
CVE-2020-36656
The Spectra WordPress plugin before 1.15.0 does not sanitize user input as it reaches its style HTML attribute, allowing contributors to conduct stored XSS attacks via the plugin's Gutenberg blocks.
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.005 (39.4th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.4 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.
Affected products
- Brainstormforce Spectra
- Unknown Spectra — versions 0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- contact@wpscan.com (Exploit, technical-description, Third Party Advisory, exploit, vdb-entry)
Frequently asked questions
- What is CVE-2020-36656?
- CVE-2020-36656 is a medium-severity vulnerability in Brainstormforce Spectra, classified under Cross-site Scripting. CVSS score: 5.4/10. Published 2023-02-21.
- How severe is CVE-2020-36656?
- Medium severity. CVSS v3 base score is 5.4 out of 10.
- Is CVE-2020-36656 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.