cbcvebase.
CVE-2020-28032
published 2020-11-02

CVE-2020-28032: WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.

PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
16.12%
96.5th percentile
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.

Affected

12 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianwordpress< wordpress 5.5.3+dfsg1-1 (bookworm)wordpress 5.5.3+dfsg1-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
rmccuerequests>= 1.6.0 < 1.8.01.8.0
wordpresswordpress< 5.5.25.5.2
wordpresswordpress>= 0 < 5.5.3+dfsg1-15.5.3+dfsg1-1
wordpresswordpress>= 0 < 5.5.3+dfsg1-15.5.3+dfsg1-1
wordpresswordpress>= 0 < 5.5.3+dfsg1-15.5.3+dfsg1-1
wordpresswordpress>= 0 < 5.5.3+dfsg1-15.5.3+dfsg1-1

Detection & IOCsextracted from sources · hover to see the quote

pathwp-includes/Requests/Utility/FilteredIterator.php
  • Monitor for deserialization abuse targeting wp-includes/Requests/Utility/FilteredIterator.php in WordPress installations running versions prior to 5.5.2.
  • Upstream patch available at the referenced GitHub commit for WordPress develop; use it to diff and build detection logic around the hardened deserialization handling.
  • ·Vulnerability is scoped as local exploitation only per Debian security tracker classification.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.