CVE-2020-36919

MEDIUM

WPForms < 1.7.8 - Stored Cross-Site Scripting via Slider Import Search Feature

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-36919. PoCs published by Milad karimi.

AI-analyzed exploit summary The exploit demonstrates a reflected XSS vulnerability in WPForms 1.7.8 via the 'tab' parameter in the plugin settings. The PoC URL injects a JavaScript alert payload, confirming the vulnerability.

Description

WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser.

Exploits (1)

exploitdb WORKING POC

by Milad karimi · textwebappsphp

https://www.exploit-db.com/exploits/51152

View Code ZIP pw:eip

The exploit demonstrates a reflected XSS vulnerability in WPForms 1.7.8 via the 'tab' parameter in the plugin settings. The PoC URL injects a JavaScript alert payload, confirming the vulnerability.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WPForms Lite 1.7.8

No auth needed

Prerequisites: Access to the target WordPress site with WPForms Lite 1.7.8 installed

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

https://www.exploit-db.com/exploits/51152

Product product

https://wordpress.org/plugins/wpforms-lite

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/wpforms-cross-site-scripting-xss

Scores

CVSS v3 6.1

EPSS 0.0031

EPSS Percentile 22.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

Syed Balkhi/WPForms < 1.7.8

wpforms/wpforms < 1.7.8

Published Jan 13, 2026

Tracked Since Feb 18, 2026