Vulnerabilities and security researches forasync-javascript async-javascript

Jun 07, 2024

CVE, Research URL: cb3b92c5c076a8f8d1d0e05662d2dfe8153c5bed
Home page URL: Security reports for Async JavaScript
Application: Async JavaScript
Date: Jun 29, 2021
Research Description: Async JavaScript [async-javascript] < 2.21.06.29 WordPress Async JavaScript plugin <= 2.20.12.09 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by m0ze in WordPress Async JavaScript plugin (versions <= 2.20.12.09).
Affected versions: max 2.21.06.29.
Status: vulnerable

Dec 11, 2025

CVE, Research URL: CVE-2020-36854
Home page URL: Security reports for Async JavaScript
Application: Async JavaScript
Date: Oct 18, 2025
Research Description: The Async JavaScript plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.19.07.14. This is due to missing authorization checks on the aj_steps AJAX aciton along with a lack on sanitization on the settings saved via the function. This makes it possible for authenticated attackers with subscriber level permissions and above to inject malicious web scripts into a page that execute whenever a user accesses that page.
Affected versions: max 2.20.02.27.
Status: vulnerable

Jun 16, 2026

CVE, Research URL: e36be0c1-de61-407b-95a6-ebb340bf29b3
Home page URL: Security reports for Async JavaScript
Application: Async JavaScript
Date: -
Research Description: Async JavaScript [async-javascript] < 2.20.02.27 Async Javascript < 2.20.02.27 - Subscriber+ Stored XSS via Plugin Settings Change Async JavaScript’s settings are modified via calls to wp-admin/admin-ajax.php with the action aj_steps. This AJAX action is registered only for authenticated users, but no capabilities checks are made. Because of this, low-privilege users including Subscribers can modify the plugin’s settings.
Affected versions: max 2.20.02.27.
Status: vulnerable

CVE, Research URL: d636ccf5e60d4acf09f15182141bfa6c5351a5ea
Home page URL: Security reports for Async JavaScript
Application: Async JavaScript
Date: Jun 13, 2021
Research Description: Async JavaScript [async-javascript] < 2.21.06.29 Async Javascript <= 2.20.12.09 - Authenticated (Admin+) Cross-Site Scripting The Async Javascript plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '&aj_gtmetrix_username=' and '&aj_gtmetrix_api_key=' parameters in versions up to, and including, 2.20.12.09 due to insufficient input sanitization and output escaping. This makes it possible for authenticated (admin+) attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.21.06.29.
Status: vulnerable

CVE, Research URL: dc720f7e4f71488f6f9e4d0e22eb0a048932a77b
Home page URL: Security reports for Async JavaScript
Application: Async JavaScript
Date: Feb 27, 2020
Research Description: Async JavaScript [async-javascript] < 2.20.02.27 WordPress Async JavaScript plugin <= 2.19.07.14 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by WordFence in WordPress Async JavaScript plugin (versions <= 2.19.07.14).
Affected versions: max 2.20.02.27.
Status: vulnerable

CVE, Research URL: 278f7c36-05f8-4b6f-9a13-11175e3f3971
Home page URL: Security reports for Async JavaScript
Application: Async JavaScript
Date: -
Research Description: Async JavaScript [async-javascript] < 2.21.06.29 Async JavaScript < 2.21.06.29 - Authenticated (admin+) Stored XSS The plugin does not validate or escape its Username and API Key from the Wizard tab of its settings, allowing high privilege users such as admin to set JavaScript payload in them, even when the unfiltered_html capability is disallowed, leading to Stored Cross-Site Scripting issues
Affected versions: max 2.21.06.29.
Status: vulnerable

CVE, Research URL: a535d19a588d298275a50a334cb3297b070e2d46
Home page URL: Security reports for Async JavaScript
Application: Async JavaScript
Date: Feb 27, 2020
Research Description: Async JavaScript [async-javascript] < 2.20.02.27 Async JavaScript <= 2.19.07.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting The Async JavaScript plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.19.07.14. This is due to missing authorization checks on the aj_steps AJAX aciton along with a lack on sanitization on the settings saved via the function. This makes it possible for authenticated attackers with subscriber level permissions and above to inject malicious web scripts into a page that execute whenever a user accesses that page.
Affected versions: max 2.20.02.27.
Status: vulnerable