CVE-2020-37235
6.4 MEDIUMWordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users t...
Published: 2026-05-16 · Last updated: 2026-05-18
Severity and scoring
- CVSS
- 6.4 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CWE
- CWE-79
Description
WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL parameter. Attackers with editor, administrator, contributor, or author privileges can inject base64-encoded script payloads through the ftc_brand_url input field to execute arbitrary JavaScript when users visit the brand page.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2020-37235
- [Other]http://demo.themeftc.com/wibar
- [Other]https://themeforest.net/item/wibar-responsive-woocommerce-wordpress-theme/20994798
- [Other]https://www.exploit-db.com/exploits/49107
- [Other]https://www.vulncheck.com/advisories/wordpress-theme-wibar-stored-cross-site-scripting-via-brand-component
Related CVEs
Same CWE
- CVE-2026-12425 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access ...
- CVE-2024-30476 — PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager (5.4 MEDIUM)
- CVE-2026-54198 — Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions (7.1 HIGH)
- CVE-2026-54191 — Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions (7.1 HIGH)
- CVE-2026-39437 — Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions (7.1 HIGH)