CVE-2020-11028Improper Access Control in Wordpress

CWE-284Improper Access ControlCWE-306Missing Authentication for Critical Function6 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.9%
top 23.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
WordpressDebian WordpressDebian Linux
Timeline
PublishedApr 30
Latest updateMay 5

Description

In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

debiandebian/wordpress< wordpress 5.4.1+dfsg1-1 (bookworm)
NVDwordpress/wordpress< 5.4.1
Debianwordpress/wordpress< 5.4.1+dfsg1-1+3
CVEListV5wordpress/wordpress18 versions+17

Also affects: Debian Linux 10.0, 8.0, 9.0

🔴Vulnerability Details

1
OSV
CVE-2020-11028: In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of2020-04-30

📋Vendor Advisories

1
Debian
CVE-2020-11028: wordpress - In affected versions of WordPress, some private posts, which were previously pub...2020

💬Community

3
Bugzilla
CVE-2020-11028 wordpress: Some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. [epel-6]2020-05-05
Bugzilla
CVE-2020-11028 wordpress: Some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions.2020-05-05
Bugzilla
CVE-2020-11028 wordpress: Some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. [epel-7]2020-05-05