CVE-2020-28032
published 2020-11-02CVE-2020-28032: WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
16.12%
96.5th percentile
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | wordpress | < wordpress 5.5.3+dfsg1-1 (bookworm) | wordpress 5.5.3+dfsg1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| rmccue | requests | >= 1.6.0 < 1.8.0 | 1.8.0 |
| wordpress | wordpress | < 5.5.2 | 5.5.2 |
| wordpress | wordpress | >= 0 < 5.5.3+dfsg1-1 | 5.5.3+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.5.3+dfsg1-1 | 5.5.3+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.5.3+dfsg1-1 | 5.5.3+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.5.3+dfsg1-1 | 5.5.3+dfsg1-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for deserialization abuse targeting wp-includes/Requests/Utility/FilteredIterator.php in WordPress installations running versions prior to 5.5.2. ↗
- →Upstream patch available at the referenced GitHub commit for WordPress develop; use it to diff and build detection logic around the hardened deserialization handling. ↗
- ·Vulnerability is scoped as local exploitation only per Debian security tracker classification. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-546f-q8mw-j4qj: WordPress before 5
ghsa_unreviewed·2022-05-24
CVE-2020-28032 [CRITICAL] CWE-502 GHSA-546f-q8mw-j4qj: WordPress before 5
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
GHSA
Insecure Deserialization of untrusted data in rmccue/requests
ghsa·2021-04-29·CVSS 9.8
CVE-2021-29476 [CRITICAL] CWE-502 Insecure Deserialization of untrusted data in rmccue/requests
Insecure Deserialization of untrusted data in rmccue/requests
### Impact
Unserialization of untrusted data.
### Patches
The issue has been patched and users of `Requests` 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0.
### References
Publications about the vulnerability:
* https://dannewitz.ninja/posts/php-unserialize-object-injection-yet-another-stars-rating-wordpress
* https://github.com/ambionics/phpggc/issues/52
* https://blog.detectify.com/2019/07/23/improving-wordpress-plugin-security/
* https://i.blackhat.com/us-18/Thu-August-9/us-18-Thomas-Its-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf
* https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf
* https://2018.zeronights.ru/wp-content/upl
OSV
Insecure Deserialization of untrusted data in rmccue/requests
osv·2021-04-29·CVSS 9.8
CVE-2021-29476 [CRITICAL] Insecure Deserialization of untrusted data in rmccue/requests
Insecure Deserialization of untrusted data in rmccue/requests
### Impact
Unserialization of untrusted data.
### Patches
The issue has been patched and users of `Requests` 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0.
### References
Publications about the vulnerability:
* https://dannewitz.ninja/posts/php-unserialize-object-injection-yet-another-stars-rating-wordpress
* https://github.com/ambionics/phpggc/issues/52
* https://blog.detectify.com/2019/07/23/improving-wordpress-plugin-security/
* https://i.blackhat.com/us-18/Thu-August-9/us-18-Thomas-Its-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf
* https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf
* https://2018.zeronights.ru/wp-content/upl
OSV
CVE-2020-28032: WordPress before 5
osv·2020-11-02·CVSS 9.8
CVE-2020-28032 [CRITICAL] CVE-2020-28032: WordPress before 5
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
Debian
CVE-2020-28032: wordpress - WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Reques...
vendor_debian·2020·CVSS 9.8
CVE-2020-28032 [CRITICAL] CVE-2020-28032: wordpress - WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Reques...
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
Scope: local
bookworm: resolved (fixed in 5.5.3+dfsg1-1)
bullseye: resolved (fixed in 5.5.3+dfsg1-1)
forky: resolved (fixed in 5.5.3+dfsg1-1)
sid: resolved (fixed in 5.5.3+dfsg1-1)
trixie: resolved (fixed in 5.5.3+dfsg1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-28032 wordpress: hardening deserialization requests [fedora-all]
bugzilla·2020-11-05·CVSS 9.8
CVE-2020-28032 [CRITICAL] CVE-2020-28032 wordpress: hardening deserialization requests [fedora-all]
CVE-2020-28032 wordpress: hardening deserialization requests [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of
Bugzilla
CVE-2020-28032 wordpress: hardening deserialization requests
bugzilla·2020-11-05·CVSS 9.8
CVE-2020-28032 [CRITICAL] CVE-2020-28032 wordpress: hardening deserialization requests
CVE-2020-28032 wordpress: hardening deserialization requests
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
References:
https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
https://wpscan.com/vulnerability/10446
Upstream patch:
https://github.com/WordPress/wordpress-develop/commit/add6bedf3a53b647d0ebda2970057912d3cd79d3
Discussion:
Created wordpress tracking bugs for this issue:
Affects: epel-all [bug 1894949]
Affects: fedora-all [bug 1894948]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Bugzilla
CVE-2020-28032 wordpress: hardening deserialization requests [epel-all]
bugzilla·2020-11-05·CVSS 9.8
CVE-2020-28032 [CRITICAL] CVE-2020-28032 wordpress: hardening deserialization requests [epel-all]
CVE-2020-28032 wordpress: hardening deserialization requests [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedo
https://github.com/WordPress/wordpress-develop/commit/add6bedf3a53b647d0ebda2970057912d3cd79d3https://lists.debian.org/debian-lts-announce/2020/11/msg00004.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHVNK2WYAM3ZTCXTFSEIT56IKLVJHU3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAVVYJKA2I6CRQUINECDPBGWMQDEG244/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUXVUAKL2HL4QYJEPHBNVQQWRMFMII2Y/https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/https://wpscan.com/vulnerability/10446https://www.debian.org/security/2020/dsa-4784https://github.com/WordPress/wordpress-develop/commit/add6bedf3a53b647d0ebda2970057912d3cd79d3https://lists.debian.org/debian-lts-announce/2020/11/msg00004.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHVNK2WYAM3ZTCXTFSEIT56IKLVJHU3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAVVYJKA2I6CRQUINECDPBGWMQDEG244/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUXVUAKL2HL4QYJEPHBNVQQWRMFMII2Y/https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/https://wpscan.com/vulnerability/10446https://www.debian.org/security/2020/dsa-4784
2020-11-02
Published