Security readout for executives and security teams
Plain-English summary
A WordPress plugin called Async JavaScript had a flaw that let any logged-in user, even a low-privilege subscriber, save malicious code into the site's settings. That code then ran in the browser of anyone who later viewed an affected page, including administrators. The vendor versions through 2.19.07.14 are affected, and sites that allow open registration are most at risk.
Executive priority
Schedule a routine update for any WordPress site running Async JavaScript and limit who can register accounts. Not an emergency, but worth closing this quarter.
Technical view
Authenticated stored XSS (CWE-79) in the Async JavaScript WordPress plugin through version 2.19.07.14. The aj_steps AJAX action lacked capability checks and saved settings were not sanitized, allowing a subscriber-level account to persist arbitrary script that executes in any browser rendering the affected pages. CVSS 3.1 6.4, scope changed, low confidentiality and integrity impact.
Likely exposure
WordPress sites running the Async JavaScript plugin at version 2.19.07.14 or earlier, especially those allowing open user registration at subscriber level or higher. Sites that disable self-registration and restrict low-privilege accounts have meaningfully reduced exposure.
Exploitation context
No public evidence of active exploitation tied to this specific CVE. Wordfence reporting cited in the bundle covers a broader 2020 site-takeover campaign against multiple plugins, not a confirmed campaign against this exact flaw. Requires a logged-in user, which lowers practical risk on sites without open registration.
Researcher notes
CWE-79 stored XSS in the Async JavaScript plugin (cloughit) at versions ≤ 2.19.07.14. Root cause is missing capability checks on the aj_steps AJAX action combined with insufficient sanitization of saved settings, allowing subscribers to persist script payloads that execute in admin and visitor contexts. CVSS 3.1 6.4 with scope change reflects DOM impact across users. Not in CISA KEV. The Wordfence campaign blog cited in references describes a broader plugin takeover wave and is not a confirmed indicator-of-compromise source for this specific CVE.
Mitigation direction
- Update the Async JavaScript plugin to the latest version published by the vendor.
- If no patched version is listed, deactivate and remove the plugin until vendor guidance is issued.
- Disable open user registration or lower the default new-user role where business needs allow.
- Audit subscriber and contributor accounts and remove unfamiliar or unused logins.
- Deploy a WordPress web application firewall to block stored XSS payload patterns.
Validation and detection
- Confirm the installed Async JavaScript plugin version under WordPress Plugins.
- Check WordPress general settings for Membership enabled and the default new-user role.
- Search settings tables for unexpected script tags or event handlers in saved values.
- Review access logs for POST requests to admin-ajax.php with action aj_steps from low-privilege users.
- Test patched build in staging and confirm saved settings render as escaped text, not active script.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2020-36854 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 6.4 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N3.12.7Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
6.4MediumVector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
