Home > Vulnerability Database > CVE-2020-36172

Mend.io Vulnerability Database

CVE-2020-36172

Good to know:

Date: January 6, 2021

The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandles the escaping of strings in Select2 dropdowns, potentially leading to XSS.

Language: PHP

Severity Score

6.1

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-36172

Url: https://wordpress.org/plugins/advanced-custom-fields/#developers

Url: https://www.mend.io/vulnerability-database/CVE-2020-36172

Severity Score

6.1

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.17.6;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.22.16;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.13.40;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.22.18;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.13.37;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.13.16;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.13.12;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.22.14;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.16.3;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.30.2;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.17.9;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.24.4;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.19.41;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.29.3;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.19.23;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.17.23;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.14.6;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.22.7;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.27.0;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.19.27;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.22.11;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.19.39;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.22.27;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.14.12;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.19.1;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.15.1;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.19.37;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.13.28;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.23.3;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.28.2;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.19.7;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.20.1;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.14.4;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.33.1;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.13.32;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.22.4;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.19.34;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.12.8;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.17.3;helsingborg-stad/municipio - dev-fet/postIconResolver;helsingborg-stad/municipio - dev-feature/BUGG-Fel-p-url-vid-paginering-av-secondaryQuery-CU-865c1bjk8;helsingborg-stad/municipio - dev-feature/enitity-decode-tags;helsingborg-stad/municipio - dev-feature/s3-file-management;helsingborg-stad/municipio - dev-feature/versttning---ta-bort-versttning-p-titel-i-place-CU-865cd675z;helsingborg-stad/municipio - dev-docs/feature-prompt;helsingborg-stad/municipio - dev-feature/Ej-publicerade-sidor-i-breadcrumb-r-klickbara-Leder-till-en-404a-CU-8694jtjhm;helsingborg-stad/municipio - dev-feature/translation-helpers;helsingborg-stad/municipio - dev-feature/killing-the-code;helsingborg-stad/municipio - dev-fix/trigger-acf-init-twice;helsingborg-stad/municipio - 1.19.2;helsingborg-stad/municipio - dev-feature/add-symfony-polyfill-php80;helsingborg-stad/municipio - 1.22.3;helsingborg-stad/municipio - dev-misc;helsingborg-stad/municipio - dev-feature/skip-to-main;helsingborg-stad/municipio - dev-feature/Cover-art-fr-videos-i-acceptance-CU-3ymrp06;helsingborg-stad/municipio - 1.24.2;helsingborg-stad/municipio - dev-dependabot/npm_and_yarn/follow-redirects-1.14.8;helsingborg-stad/municipio - dev-test/customizer;helsingborg-stad/municipio - 1.67.3;helsingborg-stad/municipio - 1.13.23;helsingborg-stad/student-council-protocols-theme - 1.0.7;helsingborg-stad/student-council-protocols-theme - 1.0.14;helsingborg-stad/student-council-protocols-theme - dev-dependabot/npm_and_yarn/ajv-6.12.6;helsingborg-stad/student-council-protocols-theme - no_fix;helsingborg-stad/student-council-protocols-theme - dev-dependabot/npm_and_yarn/follow-redirects-1.14.8;helsingborg-stad/modularity - dev-fix/only-allow-1-100-in-post-module;helsingborg-stad/modularity - dev-feature/gutenberg-script-module;helsingborg-stad/modularity - dev-3.0/feature/module-blocks;helsingborg-stad/modularity - dev-test/further-testing-taxonomy-filtering;helsingborg-stad/modularity - dev-dependabot/npm_and_yarn/tar-2.2.2;helsingborg-stad/modularity - dev-3.0/feature/video-iframe;helsingborg-stad/modularity - dev-feature/3.0/filterable-modules;helsingborg-stad/modularity - dev-feature/3.0/edit-modules-block-editor;helsingborg-stad/modularity - dev-feature/3.0/slider-focal-point;helsingborg-stad/modularity - 3.0.0;helsingborg-stad/modularity - dev-3.0/feature/webpack-cleanup;helsingborg-stad/modularity - dev-feature/notice-use-new-title-paramter;helsingborg-stad/modularity - dev-dependabot/npm_and_yarn/ua-parser-js-and-browser-sync-1.0.34;helsingborg-stad/modularity - dev-3.0/feature/notice-for-empty-block-CU-3g59yyr;helsingborg-stad/modularity - dev-3.0/feature/block-compatability;helsingborg-stad/modularity - dev-feature/fix-hero-module;helsingborg-stad/modularity - dev-feature/modularity-typescript;helsingborg-stad/modularity - dev-mybranch;helsingborg-stad/modularity - dev-3.0/feature/modules-municipio;helsingborg-stad/modularity - dev-3.0/feature/innovation-post-slider-module;helsingborg-stad/modularity - dev-feature/Inlggs-modul-visar-inte-bild-som-lggs-in-i-betonat-strre-frsta-inlgg-d-man-anvnder-manuell-inmatning-2-CU-865c5p2mp;helsingborg-stad/modularity - dev-feature/3.0/expandable-list-columns;helsingborg-stad/modularity - dev-3.0/feature/module-use-iframe-component;helsingborg-stad/modularity - dev-3.0/feature/scripts-defer;helsingborg-stad/modularity - dev-3.0/feature/subscribe;helsingborg-stad/modularity - dev-3.0/feature/temporary-validate-required;helsingborg-stad/modularity - dev-feat/add-custom-meta-key-for-private-post-sorting;helsingborg-stad/modularity - dev-3.0/fix/modal-btn-open-same-modal;helsingborg-stad/modularity - dev-3.0/feature/contacts-no-image;helsingborg-stad/modularity - dev-feature/3.0/postmodule-expandable-list-titles;helsingborg-stad/modularity - dev-3.0/feature/slider-border-removed-2;helsingborg-stad/modularity - dev-3.0/develop-temp-stable-revert;helsingborg-stad/modularity - dev-feature/removeRestrictiveOptionsFeature;helsingborg-stad/modularity - dev-dependabot/npm_and_yarn/node-forge-1.3.0;helsingborg-stad/modularity - dev-3.0/feature/onepage;helsingborg-stad/modularity - dev-feature/script-validation;helsingborg-stad/modularity - dev-feature/update-translations;helsingborg-stad/modularity - dev-feature/Mjlighet-att-visa-utdrag-p-inlgg-CU-865cabt96;helsingborg-stad/modularity - dev-dependabot/npm_and_yarn/word-wrap-1.2.4;helsingborg-stad/modularity - dev-feature/3.0/wp-objects;helsingborg-stad/modularity - dev-feature/3.0/news-item-fallback-2-index;helsingborg-stad/modularity - dev-3.0/feature/collection-as-posts;helsingborg-stad/modularity - dev-feature/Bara-vissa-poster-fr-c-card--svg-background-nr-emblem-visas-som-utvald-bild-cards-CU-865c44xv1;helsingborg-stad/modularity - dev-feature/improve-slider;helsingborg-stad/modularity - dev-3.0/feature/post-module-placeholder-image-for-all-views;helsingborg-stad/modularity - dev-feature/divider-duplicated-titles;helsingborg-stad/modularity - dev-3.0/feature/slider-alt-text;helsingborg-stad/modularity - dev-3.0/feature/tags-styling;helsingborg-stad/modularity - dev-hoftix/disable-autodetect-lang;kviron/acf-wordpress - no_fix;kviron/acf-wordpress - 5.7.10;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss-3.0.24;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/wordpress-seo-16.7;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/speed-booster-pack-4.5.0;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss/aspect-ratio-0.3.0;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/postcss-8.4.7;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss-2.2.8;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/autoptimize-2.8.3;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/alpinejs-3.7.0;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/wordpress-seo-15.8;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/postcss-8.3.9;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/ewww-image-optimizer-6.1.1;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/autoprefixer-10.3.1;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss-3.0.15;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/speed-booster-pack-4.3.1;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss/forms-0.3.2;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/postcss-8.2.4;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/postcss-nested-5.0.6;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/contact-form-7-5.5.4;nickfairchild/kynda - no_fix;nickfairchild/kynda - dev-dependabot/composer/laravel/sail-1.12.2;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss-3.0.8;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/wordpress-seo-18.1;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/laravel-mix-6.0.32;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/wordpress-seo-16.6;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/alpinejs-3.8.0;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss-2.2.17;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/contact-form-7-5.5.2;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/alpinejs-3.3.1;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/alpinejs-3.2.2;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/alpinejs-3.5.0;nickfairchild/kynda - dev-dependabot/composer/laravel/sail-1.13.5;nickfairchild/kynda - dev-dependabot/composer/composer/installers-1.12.0;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/alpinejs-3.4.1;nickfairchild/kynda - dev-dependabot/composer/laravel/sail-1.9.0;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/autoprefixer-10.3.7;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/postcss-8.3.1;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/postcss-8.2.6;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss-2.1.1;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/contact-form-7-5.5.6;nickfairchild/kynda - v0.1;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/autoprefixer-10.3.5;nickfairchild/kynda - dev-dependabot/composer/laravel/sail-1.13.8;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss-3.0.2;nickfairchild/kynda - dev-dependabot/composer/laravel/sail-1.10.1;nickfairchild/kynda - dev-dependabot/composer/vlucas/phpdotenv-5.3.1;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/alpinejs-3.10.2;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/tailwindcss-2.2.0;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/ewww-image-optimizer-6.2.5;nickfairchild/kynda - dev-dependabot/composer/laravel/sail-1.12.6;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/ewww-image-optimizer-6.4.0;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/wordpress-seo-17.7;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/laravel-mix-6.0.16;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/contact-form-7-5.4.2;nickfairchild/kynda - dev-dependabot/composer/laravel/sail-1.12.11;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/alpinejs-3.3.4;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/wordpress-seo-17.4;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/wordpress-seo-16.1.1;nickfairchild/kynda - dev-dependabot/npm_and_yarn/public/wp-content/themes/website/laravel-mix-6.0.8;nickfairchild/kynda - dev-dependabot/composer/wpackagist-plugin/duplicate-post-4.1.1;hipdevteam/advanced-custom-fields-pro - 5.9.6;h-enk/link-manager-free - no_fix;pixelstudio/acf - 4.0.3;pixelstudio/acf - 5.9.7;greenpeace/planet4-gpnordic-plugin-portrait - dev-page-template;greenpeace/planet4-gpnordic-plugin-portrait - no_fix;wordpress-premium/advanced-custom-fields-pro - 5.9.6;wordpress-premium/advanced-custom-fields-pro - v3.6.10;20steps/alexa - v1.0.2;greenpeace/planet4-gpnordic-plugin-gutenberg-blocks - dev-master;asas-virtuais/asas-virtuais-wp-core - 0.9.0;kviron/advanced-custom-fields - 5.7.10;kviron/advanced-custom-fields - 5.9.6;juvo/mail-editor - v2.0.0;juvo/mail-editor - dev-feature-show-placeholders;studiometa/advanced-custom-fields-pro - 5.9.6;moncton/advanced-custom-fields-pro - no_fix;moncton/advanced-custom-fields-pro - 5.7.13;elliotcondon/acf - 4.4.11;elliotcondon/acf - 4.1.4;elliotcondon/acf - no_fix;gohike/plugins - no_fix;ptibbetts/allusion - v1.0.0;ptibbetts/allusion - no_fix;ketancit/citboilerplate - 1.0.3.1;ketancit/citboilerplate - 1.0.0;greenpeace/planet4-gpnordic-plugin-leads - v1.0.6;greenpeace/planet4-gpnordic-plugin-leads - no_fix;greenpeace/planet4-gpnordic-plugin-leads - v1.0.0;wordpress-plugin/advanced-custom-fields-pro - no_fix;hipdevteam/hip-gatsby-theme - no_fix;abetter/wordpress - 1.0.0;abetter/wordpress - 1.6.18;pixelstudio/advanced-custom-fields - 4.0.3;pixelstudio/advanced-custom-fields - 5.9.7;ycms/framework - v5.1.0;55digital/wordpress-template - no_fix;ycms/advanced-custom-fields - no_fix

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-36172

Good to know:

Date: January 6, 2021

Language: PHP

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?