CVE-2020-11026Improper Neutralization in Wordpress

CWE-707Improper NeutralizationCWE-79Cross-site Scripting6 documents4 sources
Severity
5.4MEDIUMNVD
EPSS
4.4%
top 10.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
WordpressDebian WordpressDebian Linux
Timeline
PublishedApr 30
Latest updateMay 5

Description

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

debiandebian/wordpress< wordpress 5.4.1+dfsg1-1 (bookworm)
NVDwordpress/wordpress3.73.7.33+17
Debianwordpress/wordpress< 5.4.1+dfsg1-1+3
CVEListV5wordpress/wordpress18 versions+17

Also affects: Debian Linux 10.0, 8.0, 9.0

🔴Vulnerability Details

1
OSV
CVE-2020-11026: In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing2020-04-30

📋Vendor Advisories

1
Debian
CVE-2020-11026: wordpress - In affected versions of WordPress, files with a specially crafted name when uplo...2020

💬Community

3
Bugzilla
CVE-2020-11026 wordpress: Specially crafted filenames in WordPress leading to XSS [epel-7]2020-05-05
Bugzilla
CVE-2020-11026 wordpress: Specially crafted filenames in WordPress leading to XSS2020-05-05
Bugzilla
CVE-2020-11026 wordpress: Specially crafted filenames in WordPress leading to XSS [epel-6]2020-05-05