CVE-2020-11509

Name of the Vulnerable Software and Affected Versions WP Lead Plus X plugin versions through 0.98

Description The issue allows remote attackers to upload page templates containing arbitrary JavaScript via the "c37 wpl import template" admin-post action. This JavaScript will execute in an administrator's browser if the template is used to create a page.

Recommendations For WP Lead Plus X plugin versions through 0.98, consider disabling the c37 wpl import template admin-post action until a patch is available to prevent the upload of malicious templates. Restrict access to the template creation feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.