CVE-2020-11026

Summary

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Affected Software

VendorProductVersion RangeStatus
WordPressWordPress>= 5.4.0, < 5.4.1affected
WordPressWordPress>= 5.3.0, < 5.3.3affected
WordPressWordPress>= 5.2.0, < 5.2.6affected
WordPressWordPress>= 5.1.0, < 5.1.5affected
WordPressWordPress>= 5.0.0, < 5.0.9affected
WordPressWordPress>= 4.9.0, < 4.9.14affected
WordPressWordPress>= 4.8.0, < 4.8.13affected
WordPressWordPress>= 4.7.0, < 4.7.17affected
WordPressWordPress>= 4.6.0, < 4.6.18affected
WordPressWordPress>= 4.5.0, < 4.5.21affected
WordPressWordPress>= 4.4.0, < 4.4.22affected
WordPressWordPress>= 4.3.0, < 4.3.23affected
WordPressWordPress>= 4.2.0, < 4.2.27affected
WordPressWordPress>= 4.1.0, < 4.1.30affected
WordPressWordPress>= 4.0.0, < 4.0.30affected
WordPressWordPress>= 3.9.0, < 3.9.31affected
WordPressWordPress>= 3.8.0, < 3.8.33affected
WordPressWordPress>= 3.7.0, < 3.7.33affected

Weaknesses

  • CWE-707: CWE-707: Improper Neutralization

ADP Enrichment

CVE Program Container

Additional References

References