CVE-2020-11508: 
WordPress vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in the WP Lead Plus X WordPress plugin versions through 0.98. The vulnerability was disclosed on April 7, 2020, and was assigned the identifier CVE-2020-11508. This security flaw affects WordPress installations using the WP Lead Plus X plugin, which is a landing page and squeeze page builder (Wordfence Blog).

The vulnerability allows authenticated users with minimal permissions to exploit the wp_ajax_core37_lp_save_page (also known as core37_lp_save_page) AJAX action. Through this action, attackers can create or modify existing pages to include malicious JavaScript code. The vulnerability received a CVSS score of 9.1 (Critical) with the vector string CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L (Wordfence Blog).

The vulnerability enables attackers with minimal user privileges to inject malicious JavaScript code into WordPress pages. This stored XSS vulnerability could lead to compromised website functionality, data theft, and potential unauthorized actions performed on behalf of other users, including administrators (Wordfence Blog).

The vulnerability was patched in version 0.99 of the WP Lead Plus X plugin. Website administrators running affected versions should update to the patched version immediately to mitigate the risk (Wordfence Blog).