CVE-2020-36715 - Vulnerability Details - OpenCVE

The Login/Signup Popup plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on several functions in versions up to, and including, 1.4. This makes it possible for authenticated attackers to inject arbitrary web scripts into the plugin settings that execute if they can successfully trick a user into performing an action such as clicking on a link.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Xootix	Login\/signup Popup

Configuration 1 [-]

cpe:2.3:a:xootix:login\/signup_popup:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://blog.nintechnet.com/zero-day-vulnerability-fixed-in-wordpress-login-signup-popup-plugin/
https://plugins.trac.wordpress.org/changeset/2304979/easy-login-woocommerce
https://www.wordfence.com/threat-intel/vulnerabilities/id/96d264fe-e7e1-4eec-b235-9d288bc5a22f?source=cve

History

Wed, 08 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
Title		Login/Signup Popup < 1.5 - Missing Authorization

Sat, 21 Dec 2024 00:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2023-06-07T01:51:32.956Z

Updated: 2026-04-08T17:10:19.092Z

Reserved: 2023-06-06T13:01:28.321Z

Link: CVE-2020-36715

Vulnrichment

Updated: 2024-08-04T17:37:06.670Z

NVD

Status : Modified

Published: 2023-06-07T02:15:11.920

Modified: 2026-04-08T18:17:09.603

Link: CVE-2020-36715

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2020-36715", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2023-06-06T13:01:28.321Z", "datePublished": "2023-06-07T01:51:32.956Z", "dateUpdated": "2026-04-08T17:10:19.092Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:19.092Z"}, "affected": [{"vendor": "xootix", "product": "Login & Register Customizer \u2013 Popup | Slider | Inline | WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThan": "1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Login/Signup Popup plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on several functions in versions up to, and including, 1.4. This makes it possible for authenticated attackers to inject arbitrary web scripts into the plugin settings that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Login/Signup Popup < 1.5 - Missing Authorization", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/96d264fe-e7e1-4eec-b235-9d288bc5a22f?source=cve"}, {"url": "https://blog.nintechnet.com/zero-day-vulnerability-fixed-in-wordpress-login-signup-popup-plugin/"}, {"url": "https://plugins.trac.wordpress.org/changeset/2304979/easy-login-woocommerce"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "baseScore": 7.4, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jerome Bruandet"}], "timeline": [{"time": "2020-05-14T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:37:06.670Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/96d264fe-e7e1-4eec-b235-9d288bc5a22f?source=cve", "tags": ["x_transferred"]}, {"url": "https://blog.nintechnet.com/zero-day-vulnerability-fixed-in-wordpress-login-signup-popup-plugin/", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/2304979/easy-login-woocommerce", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-20T23:28:09.319149Z", "id": "CVE-2020-36715", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-20T23:52:00.457Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/96d264fe-e7e1-4eec-b235-9d288bc5a22f?source=cve", "tags": ["x_transferred"]}, {"url": "https://blog.nintechnet.com/zero-day-vulnerability-fixed-in-wordpress-login-signup-popup-plugin/", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/2304979/easy-login-woocommerce", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:37:06.670Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-36715", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-20T23:28:09.319149Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-20T23:28:11.588Z"}}], "cna": {"title": "Login/Signup Popup < 1.5 - Missing Authorization", "credits": [{"lang": "en", "type": "finder", "value": "Jerome Bruandet"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"}}], "affected": [{"vendor": "xootix", "product": "Login & Register Customizer \u2013 Popup | Slider | Inline | WooCommerce", "versions": [{"status": "affected", "version": "0", "lessThan": "1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2020-05-14T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/96d264fe-e7e1-4eec-b235-9d288bc5a22f?source=cve"}, {"url": "https://blog.nintechnet.com/zero-day-vulnerability-fixed-in-wordpress-login-signup-popup-plugin/"}, {"url": "https://plugins.trac.wordpress.org/changeset/2304979/easy-login-woocommerce"}], "descriptions": [{"lang": "en", "value": "The Login/Signup Popup plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on several functions in versions up to, and including, 1.4. This makes it possible for authenticated attackers to inject arbitrary web scripts into the plugin settings that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:19.092Z"}}}, "cveMetadata": {"cveId": "CVE-2020-36715", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:10:19.092Z", "dateReserved": "2023-06-06T13:01:28.321Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2023-06-07T01:51:32.956Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xootix:login\\/signup_popup:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "DA47E476-44B8-4005-BA8B-C80F056F4619", "versionEndIncluding": "1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Login/Signup Popup plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on several functions in versions up to, and including, 1.4. This makes it possible for authenticated attackers to inject arbitrary web scripts into the plugin settings that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "id": "CVE-2020-36715", "lastModified": "2026-04-08T18:17:09.603", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 3.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-06-07T02:15:11.920", "references": [{"source": "security@wordfence.com", "tags": ["Exploit"], "url": "https://blog.nintechnet.com/zero-day-vulnerability-fixed-in-wordpress-login-signup-popup-plugin/"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/2304979/easy-login-woocommerce"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/96d264fe-e7e1-4eec-b235-9d288bc5a22f?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://blog.nintechnet.com/zero-day-vulnerability-fixed-in-wordpress-login-signup-popup-plugin/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/2304979/easy-login-woocommerce"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/96d264fe-e7e1-4eec-b235-9d288bc5a22f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Secondary"}]}