First published: Fri Jun 12 2020(Updated: )
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
debian/wordpress | 5.0.15+dfsg1-0+deb10u1 5.0.19+dfsg1-0+deb10u1 5.7.8+dfsg1-0+deb11u2 6.1.1+dfsg1-1 6.3.1+dfsg1-1 | |
WordPress WordPress | >=3.7<3.7.34 | |
WordPress WordPress | >=3.8<3.8.34 | |
WordPress WordPress | >=3.9<3.9.32 | |
WordPress WordPress | >=4.0<4.0.31 | |
WordPress WordPress | >=4.1<4.1.31 | |
WordPress WordPress | >=4.2<4.2.28 | |
WordPress WordPress | >=4.3<4.3.24 | |
WordPress WordPress | >=4.4<4.4.23 | |
WordPress WordPress | >=4.5<4.5.22 | |
WordPress WordPress | >=4.6<4.6.19 | |
WordPress WordPress | >=4.7<4.7.18 | |
WordPress WordPress | >=4.8<4.8.14 | |
WordPress WordPress | >=4.9<4.9.15 | |
WordPress WordPress | >=5.0<5.0.10 | |
WordPress WordPress | >=5.1<5.1.6 | |
WordPress WordPress | >=5.2<5.2.7 | |
WordPress WordPress | >=5.3.0<5.3.4 | |
WordPress WordPress | >=5.4<5.4.2 | |
Fedoraproject Fedora | =31 | |
Fedoraproject Fedora | =32 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 |
https://github.com/WordPress/wordpress-develop/commit/404f397b4012fd9d382e55bf7d206c1317f01148
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this WordPress vulnerability is CVE-2020-4049.
CVE-2020-4049 has a severity level of low.
This vulnerability can be exploited by crafting the name of a theme folder in a way that could lead to JavaScript execution on the themes page in /wp-admin.
An admin with the ability to upload themes can exploit this vulnerability.
To fix CVE-2020-4049, update to WordPress version 5.4.2 or later.