CVE-2020-37235

MEDIUM

WordPress Theme Wibar 1.1.8 Stored Cross-Site Scripting via Brand Component

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37235. PoCs published by Ilca Lucian Florin.

AI-analyzed exploit summary This is a technical writeup detailing a stored XSS vulnerability in the WordPress theme Wibar 1.1.8. The vulnerability exists in the 'Brand Component' feature, specifically in the 'Logo URL' parameter, which allows arbitrary JavaScript execution when a crafted payload is injected.

Description

WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL parameter. Attackers with editor, administrator, contributor, or author privileges can inject base64-encoded script payloads through the ftc_brand_url input field to execute arbitrary JavaScript when users visit the brand page.

Exploits (1)

exploitdb WRITEUP

by Ilca Lucian Florin · textwebappsphp

https://www.exploit-db.com/exploits/49107

View Code ZIP pw:eip

This is a technical writeup detailing a stored XSS vulnerability in the WordPress theme Wibar 1.1.8. The vulnerability exists in the 'Brand Component' feature, specifically in the 'Logo URL' parameter, which allows arbitrary JavaScript execution when a crafted payload is injected.

Classification

Writeup 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress Theme Wibar 1.1.8

Auth required

Prerequisites: WordPress admin/editor/contributor/author access · Wibar theme version 1.1.8 installed

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-49107

https://www.exploit-db.com/exploits/49107

Product product

Official Product Homepage

http://demo.themeftc.com/wibar

Product product

Product Reference

https://themeforest.net/item/wibar-responsive-woocommerce-wordpress-theme/20994798

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Theme Wibar 1.1.8 Stored Cross-Site Scripting via Brand Component

https://www.vulncheck.com/advisories/wordpress-theme-wibar-stored-cross-site-scripting-via-brand-component

Scores

CVSS v3 6.4

EPSS 0.0024

EPSS Percentile 15.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

themeftc/Theme Wibar 1.1.8

Published May 16, 2026

Tracked Since May 16, 2026