CVE-2020-11509: 
WordPress vulnerability analysis and mitigation

An XSS vulnerability was discovered in the WP Lead Plus X WordPress plugin through version 0.98. The vulnerability was assigned CVE-2020-11509 and was disclosed on April 7, 2020. This security issue affects the plugin's template import functionality and impacts WordPress installations using the affected versions (Wordfence Blog).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue (CWE-79) with a CVSS v3.1 base score of 6.1 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability exists in the c37_wpl_import_template admin-post action which allows remote attackers to upload page templates containing arbitrary JavaScript that will execute in an administrator's browser if the template is used to create a page (WPScan).

If exploited, this vulnerability allows attackers to inject malicious JavaScript code that executes in an administrator's browser context when viewing affected pages. This could lead to unauthorized actions being performed with administrator privileges and potential compromise of the WordPress site (Wordfence Blog).

The vulnerability was patched in version 0.99 of the WP Lead Plus X plugin. Site administrators are strongly advised to update to this version or later to protect against potential attacks (Wordfence Blog).