CVE-2020-11025 — Cross-site Scripting in Wordpress
Severity
5.4MEDIUMNVD
EPSS
1.4%
top 19.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 30
Latest updateMay 5
Description
In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7
Affected Packages4 packages
Also affects: Debian Linux 10.0, 9.0
🔴Vulnerability Details
1OSV▶
CVE-2020-11025: In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be exe↗2020-04-30
📋Vendor Advisories
1Debian▶
CVE-2020-11025: wordpress - In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in...↗2020
💬Community
3Bugzilla▶
CVE-2020-11025 wordpress: Authenticated cross-site scripting (XSS) in WordPress Customizer [epel-6]↗2020-05-05
Bugzilla▶
CVE-2020-11025 wordpress: Authenticated cross-site scripting (XSS) in WordPress Customizer↗2020-05-05
Bugzilla▶
CVE-2020-11025 wordpress: Authenticated cross-site scripting (XSS) in WordPress Customizer [epel-7]↗2020-05-05