First published: Thu Apr 30 2020(Updated: )
In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
debian/wordpress | 5.0.15+dfsg1-0+deb10u1 5.0.19+dfsg1-0+deb10u1 5.7.8+dfsg1-0+deb11u2 6.1.1+dfsg1-1 6.3.1+dfsg1-1 | |
WordPress WordPress | >=4.7<5.4.1 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-11025 is a cross-site scripting (XSS) vulnerability in the navigation section of WordPress Customizer that allows execution of JavaScript code by an authenticated user.
CVE-2020-11025 has a severity score of 5.4, which is considered medium.
CVE-2020-11025 affects certain versions of WordPress (5.0.15+dfsg1-0+deb10u1, 5.0.19+dfsg1-0+deb10u1, 5.7.8+dfsg1-0+deb11u2, 6.1.1+dfsg1-1, 6.3.1+dfsg1-1) by allowing a cross-site scripting (XSS) attack in the navigation section of the Customizer.
Yes, CVE-2020-11025 has been patched in WordPress version 5.4.1, as well as all previously affected versions.
You can find more information about CVE-2020-11025 on the Debian Security Tracker: [CVE-2020-11025](https://security-tracker.debian.org/tracker/CVE-2020-11025).