CVE-2020-11030

Summary

In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Affected Software

VendorProductVersion RangeStatus
WordPressWordPress>= 5.4.0, < 5.4.1affected
WordPressWordPress>= 5.3.0, < 5.3.3affected
WordPressWordPress>= 5.2.0, < 5.2.6affected
WordPressWordPress>= 5.1.0, < 5.1.5affected
WordPressWordPress>= 5.0.0, < 5.0.9affected
WordPressWordPress>= 4.9.0, < 4.9.14affected
WordPressWordPress>= 4.8.0, < 4.8.13affected
WordPressWordPress>= 4.7.0, < 4.7.17affected
WordPressWordPress>= 4.6.0, < 4.6.18affected
WordPressWordPress>= 4.5.0, < 4.5.21affected
WordPressWordPress>= 4.4.0, < 4.4.22affected
WordPressWordPress>= 4.3.0, < 4.3.23affected
WordPressWordPress>= 4.2.0, < 4.2.27affected
WordPressWordPress>= 4.1.0, < 4.1.30affected
WordPressWordPress>= 4.0.0, < 4.0.30affected
WordPressWordPress>= 3.9.0, < 3.9.31affected
WordPressWordPress>= 3.8.0, < 3.8.33affected
WordPressWordPress>= 3.7.0, < 3.7.33affected

Weaknesses

  • CWE-707: CWE-707: Improper Neutralization

ADP Enrichment

CVE Program Container

Additional References

References