Vulnerabilities and security researches forasync-javascript async-javascript

Jun 07, 2024

CVE, Research URL: cb3b92c5c076a8f8d1d0e05662d2dfe8153c5bed
Home page URL: Security reports for Async JavaScript
Application: Async JavaScript
Date: Jun 29, 2021
Research Description: Async JavaScript [async-javascript] < 2.21.06.29 WordPress Async JavaScript plugin <= 2.20.12.09 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by m0ze in WordPress Async JavaScript plugin (versions <= 2.20.12.09).
Affected versions: max 2.21.06.29.
Status: vulnerable

Dec 11, 2025

CVE, Research URL: CVE-2020-36854
Home page URL: Security reports for Async JavaScript
Application: Async JavaScript
Date: Oct 18, 2025
Research Description: The Async JavaScript plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.19.07.14. This is due to missing authorization checks on the aj_steps AJAX aciton along with a lack on sanitization on the settings saved via the function. This makes it possible for authenticated attackers with subscriber level permissions and above to inject malicious web scripts into a page that execute whenever a user accesses that page.
Affected versions: max 2.20.02.27.
Status: vulnerable