Multiple vulnerabilities in WordPress
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2020-28034 CVE-2020-28035 CVE-2020-28037 CVE-2020-28038 CVE-2020-28039 CVE-2020-28040 CVE-2020-28033 CVE-2020-28032 CVE-2020-28036 |
| CWE-ID | CWE-79 CWE-264 CWE-399 CWE-284 CWE-352 CWE-502 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #8 is available. |
| Vulnerable software |
WordPress Web applications / CMS |
| Vendor | WordPress.ORG |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
Updated: 09.11.2020
Assigned CVE-ID for vulnerabilities #1-6, added vulnerabilities #7-9.
1) Cross-site scripting
EUVDB-ID: #VU48035
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-28034
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via global variables. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWordPress: 5.5 - 5.5.1
CPE2.3 External linkshttps://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security restrictions bypass
EUVDB-ID: #VU48036
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-28035
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions on XML-RPC requests. A remote authenticated attacker can escalate privileges within the application by sending a specially crafted XML-RPC request.
Install updates from vendor's website.
Vulnerable software versionsWordPress: 3.7 - 5.5.1
CPE2.3- cpe:2.3:a:wordpress_org:wordpress:3.7.34:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:3.8.34:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:3.9.32:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:4.0.31:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:4.1.31:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:4.2.28:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:4.3.24:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:4.4.23:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:4.5.22:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:4.6.19:*:*:*:*:*:*:*
https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource management error
EUVDB-ID: #VU48037
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-28037
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected website.
The vulnerability exists due to is_blog_installed in wp-includes/functions.php does not properly determine whether WordPress is already installed. This might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).
Install updates from vendor's website.
Vulnerable software versionsWordPress: 5.5 - 5.5.1
CPE2.3 External linkshttps://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Stored cross-site scripting
EUVDB-ID: #VU48038
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear]
CVE-ID: CVE-2020-28038
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: Yes
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data, related to post slugs. A remote user can permanently store and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWordPress: 5.5 - 5.5.1
CPE2.3 External linkshttps://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper access control
EUVDB-ID: #VU48039
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-28039
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to delete arbitrary files.
The vulnerability exists due to improper access restrictions in is_protected_meta in wp-includes/meta.php. A remote attacker can bypass implemented security restrictions and delete arbitrary files.
Install updates from vendor's website.
Vulnerable software versionsWordPress: 5.5 - 5.5.1
CPE2.3 External linkshttps://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Cross-site request forgery
EUVDB-ID: #VU48040
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-28040
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as change a theme's background image.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWordPress: 5.5 - 5.5.1
CPE2.3 External linkshttps://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU48201
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-28033
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application mishandles embeds from disabled sites on a multisite network. A remote attacker can send out spam.
Install updates from vendor's website.
Vulnerable software versionsWordPress: 5.5 - 5.5.1
CPE2.3 External linkshttps://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Deserialization of Untrusted Data
EUVDB-ID: #VU48200
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2020-28032
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data in wp-includes/Requests/Utility/FilteredIterator.php. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWordPress: 5.5 - 5.5.1
CPE2.3 External linkshttps://github.com/WordPress/wordpress-develop/commit/add6bedf3a53b647d0ebda2970057912d3cd79d3
https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
9) Improper access control
EUVDB-ID: #VU48202
Risk: High
CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-28036
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in wp-includes/class-wp-xmlrpc-server.php. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application by using XML-RPC to comment on a post.
Install updates from vendor's website.
Vulnerable software versionsWordPress: 5.5 - 5.5.1
CPE2.3 External linkshttps://github.com/WordPress/wordpress-develop/commit/c9e6b98968025b1629015998d12c3102165a7d32
https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
