#VU27439 Improper access control in WordPress - CVE-2020-11028
Published: April 29, 2020 / Updated: May 4, 2020
Vulnerability identifier: #VU27439
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-11028
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
WordPress
WordPress
Software vendor:
WordPress.ORG
WordPress.ORG
Description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions to certain private posts. A remote non-authenticated attacker can bypass implemented security restrictions and read private posts.
Remediation
Install updates from vendor's website.
External links
- https://wordpress.org/news/2020/04/wordpress-5-4-1/
- https://wpvulndb.com/vulnerabilities/10202/
- https://core.trac.wordpress.org/changeset/47635/
- https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w