What is CVE-2020-11026?

CVE-2020-11026 is a vulnerability in WordPress that allows an authenticated user to execute arbitrary scripts by uploading specially crafted files with a specific name.

How severe is CVE-2020-11026?

CVE-2020-11026 has a severity rating of high.

How can I fix CVE-2020-11026?

CVE-2020-11026 can be fixed by updating to WordPress version 5.4.1 or later.

Where can I find more information about CVE-2020-11026?

More information about CVE-2020-11026 can be found at the following references: [Link1](https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2), [Link2](https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html), [Link3](https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates).

Vulnerability/
CVE-2020-11026

high

8.7

CWE

79 707

30/4/2020

1/3/2023

CVE-2020-11026: XSS

First published: Thu Apr 30 2020(Updated: )

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
debian/wordpress		5.0.15+dfsg1-0+deb10u1 5.0.19+dfsg1-0+deb10u1 5.7.8+dfsg1-0+deb11u2 6.1.1+dfsg1-1 6.3.1+dfsg1-1
WordPress WordPress	>=3.7<3.7.33
WordPress WordPress	>=3.8<3.8.33
WordPress WordPress	>=3.9<3.9.31
WordPress WordPress	>=4.0<4.0.30
WordPress WordPress	>=4.1<4.1.30
WordPress WordPress	>=4.2<4.2.27
WordPress WordPress	>=4.3<4.3.23
WordPress WordPress	>=4.4<4.4.22
WordPress WordPress	>=4.5<4.5.21
WordPress WordPress	>=4.6<4.6.18
WordPress WordPress	>=4.7<4.7.17
WordPress WordPress	>=4.8<4.8.13
WordPress WordPress	>=4.9<4.9.14
WordPress WordPress	>=5.0<5.0.9
WordPress WordPress	>=5.1<5.1.5
WordPress WordPress	>=5.2<5.2.6
WordPress WordPress	>=5.3<5.3.3
WordPress WordPress	=5.4
Debian Debian Linux	=8.0
Debian Debian Linux	=9.0
Debian Debian Linux	=10.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2020-11026?
CVE-2020-11026 is a vulnerability in WordPress that allows an authenticated user to execute arbitrary scripts by uploading specially crafted files with a specific name.
How severe is CVE-2020-11026?
CVE-2020-11026 has a severity rating of high.
How can I fix CVE-2020-11026?
CVE-2020-11026 can be fixed by updating to WordPress version 5.4.1 or later.
Where can I find more information about CVE-2020-11026?
More information about CVE-2020-11026 can be found at the following references: [Link1](https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2), [Link2](https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html), [Link3](https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates).

collector/security-tracker-debian
agent/weakness
agent/type
agent/description
agent/severity
agent/references
agent/author
agent/event
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
package-manager/debian
vendor/wordpress
canonical/wordpress wordpress
version/wordpress wordpress/3.7
version/wordpress wordpress/3.8
version/wordpress wordpress/3.9
version/wordpress wordpress/4.0
version/wordpress wordpress/4.1
version/wordpress wordpress/4.2
version/wordpress wordpress/4.3
version/wordpress wordpress/4.4
version/wordpress wordpress/4.5
version/wordpress wordpress/4.6
version/wordpress wordpress/4.7
version/wordpress wordpress/4.8
version/wordpress wordpress/4.9
version/wordpress wordpress/5.0
version/wordpress wordpress/5.1
version/wordpress wordpress/5.2
version/wordpress wordpress/5.3
version/wordpress wordpress/5.4
vendor/debian
canonical/debian debian linux
version/debian debian linux/8.0
version/debian debian linux/9.0
version/debian debian linux/10.0