First published: Fri Jun 12 2020(Updated: )
In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
debian/wordpress | 5.0.15+dfsg1-0+deb10u1 5.0.19+dfsg1-0+deb10u1 5.7.8+dfsg1-0+deb11u2 6.1.1+dfsg1-1 6.3.1+dfsg1-1 | |
WordPress WordPress | >=3.7<3.7.34 | |
WordPress WordPress | >=3.8<3.8.34 | |
WordPress WordPress | >=3.9<3.9.32 | |
WordPress WordPress | >=4.0<4.0.31 | |
WordPress WordPress | >=4.1<4.1.31 | |
WordPress WordPress | >=4.2<4.2.28 | |
WordPress WordPress | >=4.3<4.3.24 | |
WordPress WordPress | >=4.4<4.4.23 | |
WordPress WordPress | >=4.5<4.5.22 | |
WordPress WordPress | >=4.6<4.6.19 | |
WordPress WordPress | >=4.7<4.7.18 | |
WordPress WordPress | >=4.8<4.8.14 | |
WordPress WordPress | >=4.9<4.9.15 | |
WordPress WordPress | >=5.0<5.0.10 | |
WordPress WordPress | >=5.1<5.1.6 | |
WordPress WordPress | >=5.2<5.2.7 | |
WordPress WordPress | >=5.3.0<5.3.4 | |
WordPress WordPress | >=5.4<5.4.2 | |
Fedoraproject Fedora | =32 | |
Fedoraproject Fedora | =33 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 |
https://github.com/WordPress/wordpress-develop/commit/6ef777e9a022bee2a80fa671118e7e2657e52693
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2020-4048.
The severity of CVE-2020-4048 is medium (5.7).
The affected software for CVE-2020-4048 includes WordPress versions 3.7 to 5.4.2, Debian Linux versions 8.0 to 10.0, and Fedora versions 32 and 33.
To fix CVE-2020-4048, update WordPress to version 5.4.2 or apply the relevant patch provided by the vendor.
You can find more information about CVE-2020-4048 on the WordPress Core Trac and GitHub security advisories.