CVE-2020-28034
published 2020-11-02CVE-2020-28034: WordPress before 5.5.2 allows XSS associated with global variables.
PriorityP277medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.70%
74.3th percentile
WordPress before 5.5.2 allows XSS associated with global variables.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | wordpress | < wordpress 5.5.3+dfsg1-1 (bookworm) | wordpress 5.5.3+dfsg1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| wordpress | wordpress | < 5.5.2 | 5.5.2 |
| wordpress | wordpress | >= 0 < 5.5.3+dfsg1-1 | 5.5.3+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.5.3+dfsg1-1 | 5.5.3+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.5.3+dfsg1-1 | 5.5.3+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.5.3+dfsg1-1 | 5.5.3+dfsg1-1 |
Detection & IOCsextracted from sources · hover to see the quote
- ·All provided sources contain only high-level advisory/tracking information for this XSS vulnerability. No concrete technical details, payloads, affected code paths, or exploitation specifics are disclosed across any of the five sources. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vulncheck6.1MEDIUM
vendor_debian6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2020-28034: wordpress - WordPress before 5.5.2 allows XSS associated with global variables.
vendor_debian·2020·CVSS 6.1
CVE-2020-28034 [MEDIUM] CVE-2020-28034: wordpress - WordPress before 5.5.2 allows XSS associated with global variables.
WordPress before 5.5.2 allows XSS associated with global variables.
Scope: local
bookworm: resolved (fixed in 5.5.3+dfsg1-1)
bullseye: resolved (fixed in 5.5.3+dfsg1-1)
forky: resolved (fixed in 5.5.3+dfsg1-1)
sid: resolved (fixed in 5.5.3+dfsg1-1)
trixie: resolved (fixed in 5.5.3+dfsg1-1)
GHSA
GHSA-q684-cq3q-r3gp: WordPress before 5
ghsa_unreviewed·2022-05-24
CVE-2020-28034 [MEDIUM] CWE-79 GHSA-q684-cq3q-r3gp: WordPress before 5
WordPress before 5.5.2 allows XSS associated with global variables.
OSV
CVE-2020-28034: WordPress before 5
osv·2020-11-02·CVSS 6.1
CVE-2020-28034 [MEDIUM] CVE-2020-28034: WordPress before 5
WordPress before 5.5.2 allows XSS associated with global variables.
VulnCheck
WordPress wordpress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2020·CVSS 6.1
CVE-2020-28034 [MEDIUM] WordPress wordpress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
WordPress wordpress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
WordPress before 5.5.2 allows XSS associated with global variables.
Affected: WordPress wordpress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-core/wordpress-core-552-reflected-cross-site-scripting-via-global-variables?asset_slug=wordpress
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-28034 wordpress: XSS via global variables
bugzilla·2020-11-05·CVSS 6.1
CVE-2020-28034 [MEDIUM] CVE-2020-28034 wordpress: XSS via global variables
CVE-2020-28034 wordpress: XSS via global variables
WordPress before 5.5.2 allows XSS associated with global variables.
Reference:
https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
Discussion:
Created wordpress tracking bugs for this issue:
Affects: epel-all [bug 1894964]
Affects: fedora-all [bug 1894963]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Bugzilla
CVE-2020-28034 wordpress: XSS via global variables [fedora-all]
bugzilla·2020-11-05·CVSS 6.1
CVE-2020-28034 [MEDIUM] CVE-2020-28034 wordpress: XSS via global variables [fedora-all]
CVE-2020-28034 wordpress: XSS via global variables [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. Wh
Bugzilla
CVE-2020-28034 wordpress: XSS via global variables [epel-all]
bugzilla·2020-11-05·CVSS 6.1
CVE-2020-28034 [MEDIUM] CVE-2020-28034 wordpress: XSS via global variables [epel-all]
CVE-2020-28034 wordpress: XSS via global variables [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora EPEL. W
https://lists.debian.org/debian-lts-announce/2020/11/msg00004.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHVNK2WYAM3ZTCXTFSEIT56IKLVJHU3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAVVYJKA2I6CRQUINECDPBGWMQDEG244/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUXVUAKL2HL4QYJEPHBNVQQWRMFMII2Y/https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/https://www.debian.org/security/2020/dsa-4784https://lists.debian.org/debian-lts-announce/2020/11/msg00004.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHVNK2WYAM3ZTCXTFSEIT56IKLVJHU3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAVVYJKA2I6CRQUINECDPBGWMQDEG244/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUXVUAKL2HL4QYJEPHBNVQQWRMFMII2Y/https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/https://www.debian.org/security/2020/dsa-4784
2020-11-02
Published
Exploited in the wild