Security readout for executives and security teams
Plain-English summary
A WordPress plugin called 10Web Map Builder for Google Maps (versions through 1.0.63) lets anyone on the internet — without logging in — change plugin settings and plant malicious code into pages on the site. Anyone who later visits an affected page runs that code in their browser, which attackers can use to hijack sessions or redirect visitors. Wordfence reported this flaw was part of a broader site takeover campaign in 2020.
Executive priority
Treat as a high-priority hygiene fix for any business-facing WordPress property using this plugin. The flaw is unauthenticated, was tied to a public takeover campaign, and a vendor patch already exists — exposure here is largely a patch-management gap rather than a novel risk.
Technical view
CWE-79 stored XSS in the 10WebMapBuilder (wd-google-maps) plugin up to and including 1.0.63. The vulnerable settings-change handler lacks capability checks, nonce validation context, and proper input sanitization or output escaping, allowing an unauthenticated request to persist attacker-controlled script that executes for any subsequent page viewer. CVSS 3.1 base 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) reflects the scope change inherent to stored XSS reaching site visitors.
Likely exposure
Any WordPress site running 10Web Map Builder for Google Maps at version 1.0.63 or earlier with the plugin reachable from the public internet. The Wordfence advisory and changeset 2251882 indicate a fix was published; sites that have not updated since early 2020 remain exposed.
Exploitation context
Wordfence's February 2020 write-up reports this class of flaw was leveraged in an active site-takeover campaign targeting WordPress plugins, which suggests in-the-wild exploitation occurred. The CVE is not listed in CISA KEV. Attack requires only an unauthenticated network request, and the payload triggers when normal users browse affected pages.
Researcher notes
Root cause is missing capability checks plus absent sanitization on the plugin settings handler, producing stored XSS with scope change. The fix lives in WordPress.org plugin changeset 2251882; diff that revision to identify the exact sanitization and authorization controls added. CVE was published in October 2025 despite the underlying campaign being documented by Wordfence in February 2020, so legacy unpatched installs are the primary exposure surface.
Mitigation direction
- Update 10Web Map Builder for Google Maps to the version published in WordPress changeset 2251882 or later.
- If updating is not immediately possible, deactivate and remove the plugin until patched.
- Place the site behind a WAF with rules covering unauthenticated WordPress plugin setting tampering and stored XSS.
- Audit plugin settings and page content for unexpected script tags, iframes, or redirect code injected by prior abuse.
- Rotate WordPress administrator credentials and active session tokens if compromise is suspected.
- Review vendor advisory at Wordfence and the plugins.trac changeset for any additional remediation guidance.
Validation and detection
- Identify WordPress installs running wd-google-maps (10Web Map Builder for Google Maps) and record installed plugin version.
- Confirm any host on version 1.0.63 or earlier and prioritize for update.
- Review web server access logs for unauthenticated POST/GET traffic to plugin admin-ajax or settings endpoints prior to patching.
- Search rendered pages and the database (wp_options, post content) for unexpected <script>, onerror, or external JavaScript references.
- Verify the patched version after upgrade by re-checking plugin metadata and re-running an authenticated XSS scan.
- Cross-reference Wordfence advisory ID 7c1c24cc-9388-4d91-8dc6-c67d3420cc94 to confirm fixed version.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2020-36853 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- High
- CVSS
- 7.2 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N3.92.7Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
7.2HighVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Source materials
- CVE List V5 sourceCVE List V5
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7c1c24cc-9388-4d91-8dc6-c67d3420cc94?source=cveCVE reference
- https://www.wordfence.com/blog/2020/02/site-takeover-campaign-exploits-multiple-zero-day-vulnerabilities/CVE reference
- https://plugins.trac.wordpress.org/changeset/2251882/wd-google-mapsCVE reference
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
