CVE-2020-36715

HIGH EXPLOITED

Login/Signup Popup <1.4 - Auth Bypass

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-36715 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

The Login/Signup Popup plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on several functions in versions up to, and including, 1.4. This makes it possible for authenticated attackers to inject arbitrary web scripts into the plugin settings that execute if they can successfully trick a user into performing an action such as clicking on a link.

Scores

CVSS v3 7.4
EPSS 0.0070
EPSS Percentile 48.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

VulnCheck KEV 2020-05-14
CWE
CWE-862
Status published
Products (2)
xootix/Login & Register Customizer – Popup | Slider | Inline | WooCommerce < 1.5
xootix/login\/signup_popup < 1.4
Published Jun 07, 2023
Tracked Since Feb 18, 2026