CVE-2020-11026: Specially crafted filenames in WordPress leading to XSS
First published: Thu Apr 30 2020(Updated: )
In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/wordpress | 5.0.15+dfsg1-0+deb10u1 5.0.19+dfsg1-0+deb10u1 5.7.8+dfsg1-0+deb11u2 6.1.1+dfsg1-1 6.3.1+dfsg1-1 | |
| WordPress | >=3.7<3.7.33 | |
| WordPress | >=3.8<3.8.33 | |
| WordPress | >=3.9<3.9.31 | |
| WordPress | >=4.0<4.0.30 | |
| WordPress | >=4.1<4.1.30 | |
| WordPress | >=4.2<4.2.27 | |
| WordPress | >=4.3<4.3.23 | |
| WordPress | >=4.4<4.4.22 | |
| WordPress | >=4.5<4.5.21 | |
| WordPress | >=4.6<4.6.18 | |
| WordPress | >=4.7<4.7.17 | |
| WordPress | >=4.8<4.8.13 | |
| WordPress | >=4.9<4.9.14 | |
| WordPress | >=5.0<5.0.9 | |
| WordPress | >=5.1<5.1.5 | |
| WordPress | >=5.2<5.2.6 | |
| WordPress | >=5.3<5.3.3 | |
| WordPress | =5.4 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2
- https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates
- https://core.trac.wordpress.org/changeset/47638
- https://github.com/WordPress/wordpress-develop/commit/74d6f9613b96a2948f7675513b8b7f8224bfc386
- https://security-tracker.debian.org/tracker/CVE-2020-11026
- https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html
- https://www.debian.org/security/2020/dsa-4677
Frequently Asked Questions
What is CVE-2020-11026?
CVE-2020-11026 is a vulnerability in WordPress that allows an authenticated user to execute arbitrary scripts by uploading specially crafted files with a specific name.
How severe is CVE-2020-11026?
CVE-2020-11026 has a severity rating of high.
How can I fix CVE-2020-11026?
CVE-2020-11026 can be fixed by updating to WordPress version 5.4.1 or later.
Where can I find more information about CVE-2020-11026?
More information about CVE-2020-11026 can be found at the following references: [Link1](https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2), [Link2](https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html), [Link3](https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates).
- collector/security-tracker-debian
- agent/type
- agent/softwarecombine
- agent/author
- agent/references
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/severity
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/wordpress
- canonical/wordpress
- version/wordpress/3.7
- version/wordpress/3.8
- version/wordpress/3.9
- version/wordpress/4.0
- version/wordpress/4.1
- version/wordpress/4.2
- version/wordpress/4.3
- version/wordpress/4.4
- version/wordpress/4.5
- version/wordpress/4.6
- version/wordpress/4.7
- version/wordpress/4.8
- version/wordpress/4.9
- version/wordpress/5.0
- version/wordpress/5.1
- version/wordpress/5.2
- version/wordpress/5.3
- version/wordpress/5.4
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- version/debian debian linux/10.0