LiveActive security incident?Get immediate response
CVE Record

CVE-2020-36854: Async JavaScript <= 2.19.07.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The Async JavaScript plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.19.07.14. This is due to missing authorization checks on the aj_steps AJAX aciton along with a lack on sanitization on the settings saved via the function. This makes it possible for authenticated attackers with subscriber level permissions and above to inject malicious web scripts into a page that execute whenever a user accesses that page.

MediumCVSS 6.4Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

A WordPress plugin called Async JavaScript had a flaw that let any logged-in user, even a low-privilege subscriber, save malicious code into the site's settings. That code then ran in the browser of anyone who later viewed an affected page, including administrators. The vendor versions through 2.19.07.14 are affected, and sites that allow open registration are most at risk.

Executive priority

Schedule a routine update for any WordPress site running Async JavaScript and limit who can register accounts. Not an emergency, but worth closing this quarter.

Technical view

Authenticated stored XSS (CWE-79) in the Async JavaScript WordPress plugin through version 2.19.07.14. The aj_steps AJAX action lacked capability checks and saved settings were not sanitized, allowing a subscriber-level account to persist arbitrary script that executes in any browser rendering the affected pages. CVSS 3.1 6.4, scope changed, low confidentiality and integrity impact.

Likely exposure

WordPress sites running the Async JavaScript plugin at version 2.19.07.14 or earlier, especially those allowing open user registration at subscriber level or higher. Sites that disable self-registration and restrict low-privilege accounts have meaningfully reduced exposure.

Exploitation context

No public evidence of active exploitation tied to this specific CVE. Wordfence reporting cited in the bundle covers a broader 2020 site-takeover campaign against multiple plugins, not a confirmed campaign against this exact flaw. Requires a logged-in user, which lowers practical risk on sites without open registration.

Researcher notes

CWE-79 stored XSS in the Async JavaScript plugin (cloughit) at versions ≤ 2.19.07.14. Root cause is missing capability checks on the aj_steps AJAX action combined with insufficient sanitization of saved settings, allowing subscribers to persist script payloads that execute in admin and visitor contexts. CVSS 3.1 6.4 with scope change reflects DOM impact across users. Not in CISA KEV. The Wordfence campaign blog cited in references describes a broader plugin takeover wave and is not a confirmed indicator-of-compromise source for this specific CVE.

Mitigation direction

  • Update the Async JavaScript plugin to the latest version published by the vendor.
  • If no patched version is listed, deactivate and remove the plugin until vendor guidance is issued.
  • Disable open user registration or lower the default new-user role where business needs allow.
  • Audit subscriber and contributor accounts and remove unfamiliar or unused logins.
  • Deploy a WordPress web application firewall to block stored XSS payload patterns.

Validation and detection

  • Confirm the installed Async JavaScript plugin version under WordPress Plugins.
  • Check WordPress general settings for Membership enabled and the default new-user role.
  • Search settings tables for unexpected script tags or event handlers in saved values.
  • Review access logs for POST requests to admin-ajax.php with action aj_steps from low-privilege users.
  • Test patched build in staging and confirm saved settings render as escaped text, not active script.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-79: User-session and phishing behavior lookup

Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2020-36854 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.4 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
3Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.4CVSS 3.1MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N3.12.7Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

6.4Medium
CVSS 3.1 vector shape for CVE-2020-36854Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
cloughitAsync JavaScript0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.