Vulnerability Description
In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wordpress | Wordpress | >= 3.7, < 3.7.33 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-465Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/05/msg00011.htmlMailing ListThird Party Advisory
- https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updatesRelease NotesVendor Advisory
- https://www.debian.org/security/2020/dsa-4677Third Party Advisory
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-465Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/05/msg00011.htmlMailing ListThird Party Advisory
- https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updatesRelease NotesVendor Advisory
- https://www.debian.org/security/2020/dsa-4677Third Party Advisory
FAQ
What is CVE-2020-11026?
CVE-2020-11026 is a vulnerability with a CVSS score of 8.7 (HIGH). In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with...
How severe is CVE-2020-11026?
CVE-2020-11026 has been rated HIGH with a CVSS base score of 8.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11026?
Check the references section above for vendor advisories and patch information. Affected products include: Wordpress Wordpress, Debian Debian Linux.