Multiple vulnerabilities in WordPress



Published: 2020-04-29 | Updated: 2020-09-22
Risk High
Patch available YES
Number of vulnerabilities 8
CVE-ID CVE-2020-11027
CVE-2020-11028
CVE-2020-11025
CVE-2020-11030
CVE-2020-11029
CVE-2020-11026
CVE-2020-25286
CWE-ID CWE-640
CWE-284
CWE-79
CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
WordPress
Web applications / CMS

Vendor WordPress.ORG

Security Bulletin

This security bulletin contains information about 8 vulnerabilities.

Updated 04.05.2020
Assigned CVE-ID number for vulnerabilities #1-6
Updated: 22.09.2020
Added vulnerability #7.

1) Weak Password Recovery Mechanism for Forgotten Password

EUVDB-ID: #VU27438

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11027

CWE-ID: CWE-640 - Weak password recovery mechanism

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise user accounts.

The vulnerability exists due to password reset token is not correctly invalidated. A remote attacker can abuse such behavior to take over another user account. 

Successful exploitation of the vulnerability may allows an attacker to gain full access to the affected website.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

WordPress: 3.7 - 3.7.32, 3.8 - 3.8.32, 3.9 - 3.9.30, 4.0 - 4.0.29, 4.1 - 4.1.29, 4.2 - 4.2.26, 4.3 - 4.3.22, 4.4 - 4.4.21, 4.5 - 4.5.20, 4.6 - 4.6.17, 4.7 - 4.7.16, 4.8 - 4.8.12, 4.9 - 4.9.13, 5.0 - 5.0.8, 5.1 - 5.1.4, 5.2 - 5.2.5, 5.3 - 5.3.2, 5.4


CPE2.3 External links

http://wordpress.org/news/2020/04/wordpress-5-4-1/
http://wpvulndb.com/vulnerabilities/10201/
http://core.trac.wordpress.org/changeset/47634/
http://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
http://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ww7v-jg8c-q6jw

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper access control

EUVDB-ID: #VU27439

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11028

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions to certain private posts. A remote non-authenticated attacker can bypass implemented security restrictions and read private posts.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

WordPress: 3.7 - 3.7.32, 3.8 - 3.8.32, 3.9 - 3.9.30, 4.0 - 4.0.29, 4.1 - 4.1.29, 4.2 - 4.2.26, 4.3 - 4.3.22, 4.4 - 4.4.21, 4.5 - 4.5.20, 4.6 - 4.6.17, 4.7 - 4.7.16, 4.8 - 4.8.12, 4.9 - 4.9.13, 5.0 - 5.0.8, 5.1 - 5.1.4, 5.2 - 5.2.5, 5.3 - 5.3.2, 5.4


CPE2.3 External links

http://wordpress.org/news/2020/04/wordpress-5-4-1/
http://wpvulndb.com/vulnerabilities/10202/
http://core.trac.wordpress.org/changeset/47635/
http://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
http://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cross-site scripting

EUVDB-ID: #VU27440

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11025

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Customizer. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

WordPress: 3.7 - 3.7.32, 3.8 - 3.8.32, 3.9 - 3.9.30, 4.0 - 4.0.29, 4.1 - 4.1.29, 4.2 - 4.2.26, 4.3 - 4.3.22, 4.4 - 4.4.21, 4.5 - 4.5.20, 4.6 - 4.6.17, 4.7 - 4.7.16, 4.8 - 4.8.12, 4.9 - 4.9.13, 5.0 - 5.0.8, 5.1 - 5.1.4, 5.2 - 5.2.5, 5.3 - 5.3.2, 5.4


CPE2.3 External links

http://wordpress.org/news/2020/04/wordpress-5-4-1/
http://wpvulndb.com/vulnerabilities/10203/
http://core.trac.wordpress.org/changeset/47633/
http://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
http://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Cross-site scripting

EUVDB-ID: #VU27441

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11030

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the search block. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

WordPress: 3.7 - 3.7.32, 3.8 - 3.8.32, 3.9 - 3.9.30, 4.0 - 4.0.29, 4.1 - 4.1.29, 4.2 - 4.2.26, 4.3 - 4.3.22, 4.4 - 4.4.21, 4.5 - 4.5.20, 4.6 - 4.6.17, 4.7 - 4.7.16, 4.8 - 4.8.12, 4.9 - 4.9.13, 5.0 - 5.0.8, 5.1 - 5.1.4, 5.2 - 5.2.5, 5.3 - 5.3.2, 5.4


CPE2.3 External links

http://wordpress.org/news/2020/04/wordpress-5-4-1/
http://wpvulndb.com/vulnerabilities/10204/
http://core.trac.wordpress.org/changeset/47636/
http://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
http://github.com/WordPress/wordpress-develop/security/advisories/GHSA-vccm-6gmc-qhjh

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Cross-site scripting

EUVDB-ID: #VU27442

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11029

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in wp-object-cache. A remote attacker can execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

WordPress: 3.7 - 3.7.32, 3.8 - 3.8.32, 3.9 - 3.9.30, 4.0 - 4.0.29, 4.1 - 4.1.29, 4.2 - 4.2.26, 4.3 - 4.3.22, 4.4 - 4.4.21, 4.5 - 4.5.20, 4.6 - 4.6.17, 4.7 - 4.7.16, 4.8 - 4.8.12, 4.9 - 4.9.13, 5.0 - 5.0.8, 5.1 - 5.1.4, 5.2 - 5.2.5, 5.3 - 5.3.2, 5.4


CPE2.3 External links

http://wordpress.org/news/2020/04/wordpress-5-4-1/
http://wpvulndb.com/vulnerabilities/10205/
http://core.trac.wordpress.org/changeset/47637/
http://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
http://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Cross-site scripting

EUVDB-ID: #VU27443

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11026

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in file uploads. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

WordPress: 3.7 - 3.7.32, 3.8 - 3.8.32, 3.9 - 3.9.30, 4.0 - 4.0.29, 4.1 - 4.1.29, 4.2 - 4.2.26, 4.3 - 4.3.22, 4.4 - 4.4.21, 4.5 - 4.5.20, 4.6 - 4.6.17, 4.7 - 4.7.16, 4.8 - 4.8.12, 4.9 - 4.9.13, 5.0 - 5.0.8, 5.1 - 5.1.4, 5.2 - 5.2.5, 5.3 - 5.3.2, 5.4


CPE2.3 External links

http://wordpress.org/news/2020/04/wordpress-5-4-1/
http://wpvulndb.com/vulnerabilities/10206/
http://core.trac.wordpress.org/changeset/47638/
http://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
http://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Stored cross-site scripting

EUVDB-ID: #VU27444

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the WordPress customizer. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

WordPress: 3.7 - 3.7.32, 3.8 - 3.8.32, 3.9 - 3.9.30, 4.0 - 4.0.29, 4.1 - 4.1.29, 4.2 - 4.2.26, 4.3 - 4.3.22, 4.4 - 4.4.21, 4.5 - 4.5.20, 4.6 - 4.6.17, 4.7 - 4.7.16, 4.8 - 4.8.12, 4.9 - 4.9.13, 5.0 - 5.0.8, 5.1 - 5.1.4, 5.2 - 5.2.5, 5.3 - 5.3.2, 5.4


CPE2.3 External links

http://wordpress.org/news/2020/04/wordpress-5-4-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Information disclosure

EUVDB-ID: #VU46808

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-25286

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive data.

The vulnerability exists due to improper access restrictions in wp-includes/comment-template.php, as comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public. A remote attacker can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

WordPress: 5.4 - 5.4.1


CPE2.3 External links

http://core.trac.wordpress.org/changeset/47984
http://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###