CVE-2020-36715 HIGH

CVE-2020-36715: Login/Signup Popup < 1.5 - Missing Authorization

Vendor Xootix
Product Login & Register Customizer – Popup | Slider | Inline | WooCommerce
Weakness CWE-862 · Missing authorization
Published June 7, 2023
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

7.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

The Login/Signup Popup plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on several functions in versions up to, and including, 1.4. This makes it possible for authenticated attackers to inject arbitrary web scripts into the plugin settings that execute if they can successfully trick a user into performing an action such as clicking on a link.

Key dates

02Disclosure timeline

June 7, 2023 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-12180 Qi Blocks <= 1.4.3 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Update CVE-2024-47302 WordPress Fluent Support plugin <= 1.8.0 - Broken Access Control on Email Verification vulnerability CVE-2025-47527 WordPress Icegram Collect – Easy Form, Lead Collection and Subscription plugin <= 1.3.18 - Broken Access Control Vulnerability CVE-2026-32380 WordPress Numinous theme <= 1.3.0 - Broken Access Control vulnerability CVE-2026-48119 Nezha Monitoring: Authenticated agents can forge service-monitor results for other users' services