CVE-2020-11512

Name of the Vulnerable Software and Affected Versions IMPress for IDX Broker WordPress plugin versions prior to 2.6.2

Description The issue allows authenticated attackers with minimal permissions to save arbitrary JavaScript in the plugin's settings panel via the idx update recaptcha key AJAX action and a crafted idx recaptcha site key parameter. This saved JavaScript would then be executed in the browser of any administrator visiting the panel, potentially leading to the creation of new administrator-level accounts.

Recommendations For versions prior to 2.6.2, update to version 2.6.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the settings panel to prevent potential exploitation.