CVE-2020-11025

Summary

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Affected Software

VendorProductVersion RangeStatus
WordPressWordPress>= 5.4.0, < 5.4.1affected
WordPressWordPress>= 5.3.0, < 5.3.3affected
WordPressWordPress>= 5.2.0, < 5.2.6affected
WordPressWordPress>= 5.1.0, < 5.1.5affected
WordPressWordPress>= 5.0.0, < 5.0.9affected
WordPressWordPress>= 4.9.0, < 4.9.14affected
WordPressWordPress>= 4.8.0, < 4.8.13affected
WordPressWordPress>= 4.7.0, < 4.7.17affected
WordPressWordPress>= 4.6.0, < 4.6.18affected
WordPressWordPress>= 4.5.0, < 4.5.21affected
WordPressWordPress>= 4.4.0, < 4.4.22affected
WordPressWordPress>= 4.3.0, < 4.3.23affected
WordPressWordPress>= 4.2.0, < 4.2.27affected
WordPressWordPress>= 4.1.0, < 4.1.30affected
WordPressWordPress>= 4.0.0, < 4.0.30affected
WordPressWordPress>= 3.9.0, < 3.9.31affected
WordPressWordPress>= 3.8.0, < 3.8.33affected
WordPressWordPress>= 3.7.0, < 3.7.33affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CVE Program Container

Additional References

References