Vulnerabilities ›

CVE-2020-37225

Medium

CWE-79 — Weakness Type

                    Published: May 13, 2026                      ·  Modified: May 16, 2026                      ·  Source: NVD                

CVSS v3

6.4

🔗 NVD Official

📄 Description (English)

Powie's WHOIS Domain Check 0.9.31 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by exploiting unsanitized input fields in plugin settings. Attackers can submit malicious payloads through textarea and input elements in the pwhois_settings.php configuration page to execute JavaScript in the admin context and escalate privileges.

🤖 AI Executive Summary

CVE-2020-37225 is a persistent XSS vulnerability in Powie's WHOIS Domain Check plugin (v0.9.31) affecting WordPress installations. Authenticated attackers can inject malicious JavaScript through unsanitized configuration fields to execute code in admin context and escalate privileges. With no available patch and no public exploit, the risk remains moderate but requires immediate mitigation for organizations using this plugin.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 15, 2026 14:56

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using WordPress with Powie's WHOIS Domain Check plugin face privilege escalation risks. Most vulnerable sectors include: Government agencies (NCA, CITC) managing domain registrations; Banking sector (SAMA-regulated institutions) using WordPress for internal portals; Telecom companies (STC, Mobily) with WordPress-based administrative interfaces; Healthcare organizations (MOH) managing domain infrastructure. The vulnerability allows authenticated insiders or compromised low-privilege accounts to gain administrative access, potentially leading to data theft, malware distribution, or system compromise.

🏢 Affected Saudi Sectors

Government (NCA, CITC domain management) Banking (SAMA-regulated institutions) Telecommunications (STC, Mobily) Healthcare (MOH, private hospitals) Energy (ARAMCO subsidiary operations) Education (Universities with WordPress portals) E-commerce (SMEs using WordPress)

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application (WordPress plugin exploitation) T1598 - Phishing (social engineering to gain authenticated access) T1547 - Boot or Logon Autostart Execution (persistent XSS in admin context) T1078 - Valid Accounts (privilege escalation via authenticated XSS) T1059 - Command and Scripting Interpreter (JavaScript execution) T1136 - Create Account (unauthorized admin account creation) T1098 - Account Manipulation (privilege escalation)

⚖️ Saudi Risk Score (AI)

6.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Audit all WordPress installations for Powie's WHOIS Domain Check plugin v0.9.31 presence

2. Disable the plugin immediately if found: wp-admin > Plugins > Deactivate

3. Review admin audit logs for suspicious configuration changes or JavaScript injections

4. Check for unauthorized admin accounts created via XSS exploitation

Patching Guidance:

1. Remove the vulnerable plugin entirely (Delete option in WordPress)

2. Search for alternative WHOIS lookup plugins with active security maintenance

3. If plugin functionality is critical, implement compensating controls

Compensating Controls (if plugin removal not feasible):

1. Restrict plugin access via file permissions: chmod 640 on pwhois_settings.php

2. Implement Web Application Firewall (WAF) rules to block JavaScript payloads in POST requests to pwhois_settings.php

3. Enforce strict Content Security Policy (CSP) headers: Content-Security-Policy: script-src 'self'

4. Limit admin access via IP whitelisting and VPN requirements

5. Implement database activity monitoring for unauthorized privilege changes

Detection Rules:

1. Monitor wp_usermeta table for role changes to 'administrator'

2. Alert on POST requests to /wp-admin/admin.php?page=pwhois_settings containing script tags or event handlers

3. Log all plugin configuration changes with timestamp and user ID

4. Search WordPress database for stored XSS payloads: SELECT * FROM wp_options WHERE option_value LIKE '%<script%' OR option_value LIKE '%javascript:%'

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع تثبيتات WordPress للتحقق من وجود إضافة Powie's WHOIS Domain Check الإصدار 0.9.31

2. تعطيل الإضافة فورًا إن وجدت: wp-admin > Plugins > Deactivate

3. مراجعة سجلات تدقيق المسؤول للتغييرات المريبة في التكوين أو حقن JavaScript

4. التحقق من حسابات المسؤول غير المصرح بها المنشأة عبر استغلال XSS

إرشادات التصحيح:

1. إزالة الإضافة الضعيفة بالكامل (خيار الحذف في WordPress)

2. البحث عن إضافات WHOIS بديلة مع صيانة أمان نشطة

3. إذا كانت وظيفة الإضافة حرجة، تنفيذ ضوابط تعويضية

الضوابط التعويضية (إذا لم يكن من الممكن إزالة الإضافة):

1. تقييد وصول الإضافة عبر أذونات الملفات: chmod 640 على pwhois_settings.php

2. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر حمولات JavaScript في طلبات POST إلى pwhois_settings.php

3. فرض رؤوس سياسة أمان المحتوى الصارمة: Content-Security-Policy: script-src 'self'

4. تقييد وصول المسؤول عبر القائمة البيضاء للعناوين وتطلبات VPN

5. تنفيذ مراقبة نشاط قاعدة البيانات للتغييرات غير المصرح بها في الامتيازات

قواعد الكشف:

1. مراقبة جدول wp_usermeta للتغييرات في الدور إلى 'administrator'

2. التنبيه على طلبات POST إلى /wp-admin/admin.php?page=pwhois_settings تحتوي على علامات script أو معالجات أحداث

3. تسجيل جميع تغييرات تكوين الإضافة مع الطابع الزمني ومعرف المستخدم

4. البحث في قاعدة بيانات WordPress عن حمولات XSS المخزنة: SELECT * FROM wp_options WHERE option_value LIKE '%<script%' OR option_value LIKE '%javascript:%'

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.14.2.1 - Information security requirements for supplier relationships (plugin vendor accountability) ECC 2024 A.12.6.1 - Management of technical vulnerabilities (patch management) ECC 2024 A.14.1.1 - Information security policy for supplier relationships

🔵 SAMA CSF

SAMA CSF ID.GV-1 - Organizational governance and risk management SAMA CSF PR.AC-1 - Access control and authentication SAMA CSF DE.CM-1 - Detection and monitoring of security events SAMA CSF RS.MI-1 - Incident response and mitigation

🟡 ISO 27001:2022

ISO 27001:2022 A.5.23 - Information security for supplier relationships ISO 27001:2022 A.8.1 - User endpoint devices and computing resources ISO 27001:2022 A.8.3 - Access control ISO 27001:2022 A.12.6 - Management of technical vulnerabilities

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates (if payment systems affected) PCI DSS 6.5.7 - Cross-site scripting prevention PCI DSS 7.1 - Limit access to system components by business need

🔗 References & Sources 5

🔗

https://blog.haao.sh

disclosure@vulncheck.com

🔗

https://powie.de

disclosure@vulncheck.com

🔗

https://wordpress.org/plugins/powies-whois/

disclosure@vulncheck.com

🔗

https://www.exploit-db.com/exploits/48656

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/powie-s-whois-domain-check-persistent-cross-site-s...

disclosure@vulncheck.com

📊 CVSS Score

6.4

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.4

CWECWE-79

EPSS0.04%

Exploit No

Patch ✗ No

Published 2026-05-13

Source Feed nvd

🇸🇦 Saudi Risk Score

6.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-79

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2020-37225

Introduce Yourself

Sign In Required