LiveActive security incident?Get immediate response
CVE Record

CVE-2020-36853: 10WebMapBuilder <= 1.0.63 - Unauthenticated Stored Cross-Site Scripting via Plugin Settings Change

The 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1.0.63 due to insufficient input sanitization and output escaping and a lack of capability checks. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

HighCVSS 7.2Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

A WordPress plugin called 10Web Map Builder for Google Maps (versions through 1.0.63) lets anyone on the internet — without logging in — change plugin settings and plant malicious code into pages on the site. Anyone who later visits an affected page runs that code in their browser, which attackers can use to hijack sessions or redirect visitors. Wordfence reported this flaw was part of a broader site takeover campaign in 2020.

Executive priority

Treat as a high-priority hygiene fix for any business-facing WordPress property using this plugin. The flaw is unauthenticated, was tied to a public takeover campaign, and a vendor patch already exists — exposure here is largely a patch-management gap rather than a novel risk.

Technical view

CWE-79 stored XSS in the 10WebMapBuilder (wd-google-maps) plugin up to and including 1.0.63. The vulnerable settings-change handler lacks capability checks, nonce validation context, and proper input sanitization or output escaping, allowing an unauthenticated request to persist attacker-controlled script that executes for any subsequent page viewer. CVSS 3.1 base 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) reflects the scope change inherent to stored XSS reaching site visitors.

Likely exposure

Any WordPress site running 10Web Map Builder for Google Maps at version 1.0.63 or earlier with the plugin reachable from the public internet. The Wordfence advisory and changeset 2251882 indicate a fix was published; sites that have not updated since early 2020 remain exposed.

Exploitation context

Wordfence's February 2020 write-up reports this class of flaw was leveraged in an active site-takeover campaign targeting WordPress plugins, which suggests in-the-wild exploitation occurred. The CVE is not listed in CISA KEV. Attack requires only an unauthenticated network request, and the payload triggers when normal users browse affected pages.

Researcher notes

Root cause is missing capability checks plus absent sanitization on the plugin settings handler, producing stored XSS with scope change. The fix lives in WordPress.org plugin changeset 2251882; diff that revision to identify the exact sanitization and authorization controls added. CVE was published in October 2025 despite the underlying campaign being documented by Wordfence in February 2020, so legacy unpatched installs are the primary exposure surface.

Mitigation direction

  • Update 10Web Map Builder for Google Maps to the version published in WordPress changeset 2251882 or later.
  • If updating is not immediately possible, deactivate and remove the plugin until patched.
  • Place the site behind a WAF with rules covering unauthenticated WordPress plugin setting tampering and stored XSS.
  • Audit plugin settings and page content for unexpected script tags, iframes, or redirect code injected by prior abuse.
  • Rotate WordPress administrator credentials and active session tokens if compromise is suspected.
  • Review vendor advisory at Wordfence and the plugins.trac changeset for any additional remediation guidance.

Validation and detection

  • Identify WordPress installs running wd-google-maps (10Web Map Builder for Google Maps) and record installed plugin version.
  • Confirm any host on version 1.0.63 or earlier and prioritize for update.
  • Review web server access logs for unauthenticated POST/GET traffic to plugin admin-ajax or settings endpoints prior to patching.
  • Search rendered pages and the database (wp_options, post content) for unexpected <script>, onerror, or external JavaScript references.
  • Verify the patched version after upgrade by re-checking plugin metadata and re-running an authenticated XSS scan.
  • Cross-reference Wordfence advisory ID 7c1c24cc-9388-4d91-8dc6-c67d3420cc94 to confirm fixed version.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-79: User-session and phishing behavior lookup

Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2020-36853 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.2 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
4Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.2CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N3.92.7Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

7.2High
CVSS 3.1 vector shape for CVE-2020-36853Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
10web10Web Map Builder for Google Maps0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-79 · source CWE mapping

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.