CVE-2020-28034Cross-site Scripting in Wordpress

CWE-79Cross-site Scripting8 documents6 sources
Severity
6.1MEDIUMNVD
EPSS
2.7%
top 14.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
WordpressDebian WordpressDebian Linux+1 more
Timeline
PublishedNov 2
Latest updateMay 24

Description

WordPress before 5.5.2 allows XSS associated with global variables.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

debiandebian/wordpress< wordpress 5.5.3+dfsg1-1 (bookworm)
NVDwordpress/wordpress< 5.5.2
Debianwordpress/wordpress< 5.5.3+dfsg1-1+3

Also affects: Debian Linux 10.0, 9.0, Fedora 31, 32, 33

🔴Vulnerability Details

3
GHSA
GHSA-q684-cq3q-r3gp: WordPress before 52022-05-24
OSV
CVE-2020-28034: WordPress before 52020-11-02
VulnCheck
WordPress wordpress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')2020

📋Vendor Advisories

1
Debian
CVE-2020-28034: wordpress - WordPress before 5.5.2 allows XSS associated with global variables.2020

💬Community

3
Bugzilla
CVE-2020-28034 wordpress: XSS via global variables2020-11-05
Bugzilla
CVE-2020-28034 wordpress: XSS via global variables [fedora-all]2020-11-05
Bugzilla
CVE-2020-28034 wordpress: XSS via global variables [epel-all]2020-11-05