CVE-2020-35937 – This stored XSS vulnerability in the Team Showc... (How to Fix)

Q: What is the severity of CVE-2020-35937?

CVE-2020-35937 has a CVSS score of 7.5 (HIGH). This stored XSS vulnerability in the Team Showcase WordPress plugin allows remote authenticated attackers to inject malicious JavaScript via AJAX requests. Attackers can import layouts containing harmful scripts that execute when viewed by other users. WordPress sites using vulnerable versions of the Team Showcase plugin are affected.

📋 TL;DR

This stored XSS vulnerability in the Team Showcase WordPress plugin allows remote authenticated attackers to inject malicious JavaScript via AJAX requests. Attackers can import layouts containing harmful scripts that execute when viewed by other users. WordPress sites using vulnerable versions of the Team Showcase plugin are affected.

💻 Affected Systems

Products:

Team Showcase WordPress Plugin

Versions: All versions before 1.22.16

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Team Showcase plugin enabled. Attackers need authenticated access to exploit.

📦 What is this software?

Post Grid by Pickplugins

View all CVEs affecting Post Grid →

Team Showcase by Pickplugins

View all CVEs affecting Team Showcase →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or establish persistent backdoors leading to complete site compromise.

🟠

Likely Case

Attackers with authenticated access could inject malicious scripts that steal user session cookies, perform actions on behalf of users, or display fraudulent content.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before execution, preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access. The vulnerability is well-documented with proof-of-concept available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.22.16 and later

Vendor Advisory: https://wordpress.org/plugins/team-showcase/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Team Showcase plugin. 4. Click 'Update Now' if update available. 5. If no update available, download version 1.22.16+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable AJAX Import Functionality

all

Temporarily disable the vulnerable AJAX endpoint that handles layout imports

Add to theme's functions.php: add_filter('wp_ajax_team_import_xml_layouts', '__return_false');

Restrict User Roles

all

Limit which user roles can access plugin functionality

Use WordPress role management plugins to restrict access to Team Showcase features

🧯 If You Can't Patch

Disable or remove the Team Showcase plugin entirely
Implement web application firewall (WAF) rules to block requests containing suspicious JavaScript in source parameter

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Team Showcase → Version. If version is below 1.22.16, system is vulnerable.

Check Version:

wp plugin list --name=team-showcase --field=version

Verify Fix Applied:

After updating, verify version is 1.22.16 or higher. Test AJAX import functionality with safe test payloads.

📡 Detection & Monitoring

Log Indicators:

AJAX requests to wp-admin/admin-ajax.php with action=team_import_xml_layouts containing JavaScript in parameters
Unusual import activities from authenticated users

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with team_import_xml_layouts action and script tags in payload

SIEM Query:

source="wordpress" AND uri="/wp-admin/admin-ajax.php" AND (action="team_import_xml_layouts" OR params CONTAINS "team_import_xml_layouts") AND (params CONTAINS "<script" OR params CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2020-35937

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-79

Published: January 1, 2021

Last Updated: November 21, 2024

🔗 References

https://www.wordfence.com/blog/2020/10/high-severity-vulnerabilities-in-post-grid-and-team-showcase-plugins/ Exploit,Third Party Advisory
https://www.wordfence.com/blog/2020/10/high-severity-vulnerabilities-in-post-grid-and-team-showcase-plugins/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35937, you might also want to check these: