Vulnerability Description
In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wordpress | Wordpress | >= 4.7, < 5.4.1 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fThird Party Advisory
- https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updatesVendor Advisory
- https://www.debian.org/security/2020/dsa-4677Third Party Advisory
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fThird Party Advisory
- https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updatesVendor Advisory
- https://www.debian.org/security/2020/dsa-4677Third Party Advisory
FAQ
What is CVE-2020-11025?
CVE-2020-11025 is a vulnerability with a CVSS score of 5.8 (MEDIUM). In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user...
How severe is CVE-2020-11025?
CVE-2020-11025 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11025?
Check the references section above for vendor advisories and patch information. Affected products include: Wordpress Wordpress, Debian Debian Linux.