LiveActive security incident?Get immediate response
CVE archive

July 2020

Browse CVE records published in July 2020, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 1731 matching CVEs · Page 1 of 35.

Medium · CVSS 4.3

CVE-2020-36761: Top 10 <= 2.9.4 - Cross-Site Request Forgery Bypass

The Top 10 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.10.4. This is due to missing or incorrect nonce validation on the tptn_export_tables() function. This makes it possible for unauthenticated attackers to generate an export of the top 10 table via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36760: Ocean Extra <=1.6.5 - Cross-Site Request Forgery Bypass

The Ocean Extra plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.5]. This is due to missing or incorrect nonce validation on the add_core_extensions_bundle_validation() function. This makes it possible for unauthenticated attackers to validate extension bundles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36757: WP Hotel Booking <= 1.10.1 - Cross-Site Request Forgery Bypass

The WP Hotel Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.10.1. This is due to missing or incorrect nonce validation on the admin_add_order_item() function. This makes it possible for unauthenticated attackers to add an order item via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36756: 10WebAnalytics <= 1.2.8 - Cross-Site Request Forgery Bypass

The 10WebAnalytics plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.8. This is due to missing or incorrect nonce validation on the create_csv_file() function. This makes it possible for unauthenticated attackers to create a CSV file via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36752: Coming Soon & Maintenance Mode Page <= 1.57 - Cross-Site Request Forgery Bypass

The Coming Soon & Maintenance Mode Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.57. This is due to missing or incorrect nonce validation on the save_meta_box() function. This makes it possible for unauthenticated attackers to save meta boxes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Critical · CVSS 9.8

CVE-2020-36849: AIT CSV import/export <= 3.0.3 - Unauthenticated Arbitrary File Upload

The AIT CSV import/export plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-content/plugins/ait-csv-import-export/admin/upload-handler.php file in versions up to, and including, 3.0.3. This makes it possible for unauthorized attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

Published Jul 12, 2025 · Updated Apr 8, 2026

Critical · CVSS 9.8

CVE-2020-36847: Simple File List < 4.2.3 - Remote Code Execution

The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.

Published Jul 12, 2025 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36750: EWWW Image Optimizer <= 5.8.1 - Cross-Site Request Forgery Bypass

The EWWW Image Optimizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.8.1. This is due to missing or incorrect nonce validation on the ewww_ngg_bulk_init() function. This makes it possible for unauthenticated attackers to perform bulk image optimization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36749: Easy Testimonials <= 3.6.1 - Cross-Site Request Forgery Bypass

The Easy Testimonials plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.6.1. This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to save custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36748: Dokan <= 3.0.8 - Cross-Site Request Forgery Bypass

The Dokan plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.8. This is due to missing or incorrect nonce validation on the handle_order_export() function. This makes it possible for unauthenticated attackers to trigger an order export via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

High · CVSS 7.5

CVE-2020-36848: Total Upkeep by BoldGrid <= 1.14.9 - Unauthenticated Backup Download

The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.14.9 via the env-info.php and restore-info.json files. This makes it possible for unauthenticated attackers to find the location of back-up files and subsequently download them.

Published Jul 12, 2025 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36747: Lightweight Sidebar Manager <= 1.1.4 - Cross-Site Request Forgery Bypass

The Lightweight Sidebar Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.4. This is due to missing or incorrect nonce validation on the metabox_save() function. This makes it possible for unauthenticated attackers to save metbox data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36746: Menu Swapper <= 1.1.0.2 - Cross-Site Request Forgery Bypass

The Menu Swapper plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.0.2. This is due to missing or incorrect nonce validation on the mswp_save_meta() function. This makes it possible for unauthenticated attackers to save meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36745: WP Project Manager <= 2.4.0 - Cross-Site Request Forgery Bypass

The WP Project Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.0. This is due to missing or incorrect nonce validation on the do_updates() function. This makes it possible for unauthenticated attackers to trigger updates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36744: NotificationX <= 1.8.2 - Cross-Site Request Forgery Bypass

The NotificationX plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.2. This is due to missing or incorrect nonce validation on the generate_conversions() function. This makes it possible for unauthenticated attackers to generate conversions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36743: Product Catalog Simple <= 1.5.13 - Cross-Site Request Forgery Bypass

The Product Catalog Simple plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.13. This is due to missing or incorrect nonce validation on the implecode_save_products_meta() function. This makes it possible for unauthenticated attackers to update product meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36742: Custom Field Template <= 2.5.1 - Cross-Site Request Forgery Bypass

The Custom Field Template plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.1. This is due to missing or incorrect nonce validation on the edit_meta_value() function. This makes it possible for unauthenticated attackers to edit meta field values via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36741: MultiVendorX – MultiVendor Marketplace Solution For WooCommerce <= 3.5.7 - Cross-Site Request Forgery Bypass

The MultiVendorX plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.7. This is due to missing or incorrect nonce validation on the submit_comment() function. This makes it possible for unauthenticated attackers to submit comments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36740: Radio Buttons for Taxonomies <= 2.0.5 - Cross-Site Request Forgery Bypass

The Radio Buttons for Taxonomies plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on the save_single_term() function. This makes it possible for unauthenticated attackers to save terms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36739: Feed Them Social – Page, Post, Video, and Photo Galleries <= 2.8.6 - Cross-Site Request Forgery Bypass

The Feed Them Social – Page, Post, Video, and Photo Galleries plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.8.6. This is due to missing or incorrect nonce validation on the my_fts_fb_load_more() function. This makes it possible for unauthenticated attackers to load feeds via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36738: Cool Timeline (Horizontal & Vertical Timeline) <= 2.0.2 - Cross-Site Request Forgery Bypass

The Cool Timeline (Horizontal & Vertical Timeline) plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the ctl_save() function. This makes it possible for unauthenticated attackers to save field icons via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36737: Import / Export Customizer Settings <= 1.0.3 - Cross-Site Request Forgery Bypass

The Import / Export Customizer Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the astra_admin_errors() function. This makes it possible for unauthenticated attackers to display an import status via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36736: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce <= 1.5.15 - Cross-Site Request Forgery Bypass

The WooCommerce Checkout & Funnel Builder by CartFlows plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.15. This is due to missing or incorrect nonce validation on the export_json, import_json, and status_logs_file functions. This makes it possible for unauthenticated attackers to import/export settings and trigger logs showing via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36735: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting <= 1.6.3 - Cross-Site Request Forgery Bypass

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.3. This is due to missing or incorrect nonce validation on the handle_leave_calendar_filter, add_enable_disable_option_save, leave_policies, process_bulk_action, and process_crm_contact functions. This makes it possible for unauthenticated attackers to modify the plugins settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Critical · CVSS 9.8 · CISA KEV

CVE-2020-14644: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Published Jul 15, 2020 · Updated Jan 12, 2026

Critical · CVSS 9.8 · CISA KEV

CVE-2020-15505: A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0....

A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.

Published Jul 7, 2020 · Updated Oct 21, 2025

Critical · CVSS 10 · CISA KEV

CVE-2020-6287: SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an aut...

SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.

Published Jul 14, 2020 · Updated Oct 21, 2025