Vulnerability   
Search   
    Search 187964 CVE descriptions
and 85075 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.144103
Category:Web application abuses
Title:WordPress Multiple Vulnerabilities - June20 (Windows)
Summary:WordPress is prone to multiple vulnerabilities.
Description:Summary:
WordPress is prone to multiple vulnerabilities.

Vulnerability Insight:
WordPress is prone to multiple vulnerabilities:

- Authenticated users with upload permissions (like authors) are able to inject JavaScript into some media
file attachment pages in a certain way. This can lead to script execution in the context of a higher
privileged user when the file is viewed by them. (CVE-2020-4047)

- Due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted
leading to unintended/open redirect when clicked. (CVE-2020-4048)

- When uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript
execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low
severity self-XSS. (CVE-2020-4049)

- Misuse of the 'set-screen-option' filter's return value allows arbitrary user meta fields to be saved. It
does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged
by low privileged users. (CVE-2020-4050)

- Comments from a post or page can sometimes be seen in the latest comments even if the post or page is not
public. (CVE-2020-25286)

Affected Software/OS:
WordPress versions 3.7 - 5.4.1.

Solution:
Update to version 3.7.34, 3.8.34, 3.9.32, 4.0.31, 4.1.31, 4.2.28, 4.3.24,
4.4.23, 4.5.22, 4.6.19, 4.7.18, 4.8.14, 4.9.15, 5.0.10, 5.1.6, 5.2.7, 5.3.4, 5.4.2 or later.

CVSS Score:
6.0

CVSS Vector:
AV:N/AC:M/Au:S/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2020-4047
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-8q2w-5m27-wm27
Debian Security Information: DSA-4709 (Google Search)
https://www.debian.org/security/2020/dsa-4709
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/
https://github.com/WordPress/wordpress-develop/commit/0977c0d6b241479ecedfe19e96be69f727c3f81f
https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
https://lists.debian.org/debian-lts-announce/2020/07/msg00000.html
https://lists.debian.org/debian-lts-announce/2020/09/msg00011.html
Common Vulnerability Exposure (CVE) ID: CVE-2020-4048
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-q6pw-gvf4-5fj5
https://github.com/WordPress/wordpress-develop/commit/6ef777e9a022bee2a80fa671118e7e2657e52693
Common Vulnerability Exposure (CVE) ID: CVE-2020-4049
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-87h4-phjv-rm6p
https://github.com/WordPress/wordpress-develop/commit/404f397b4012fd9d382e55bf7d206c1317f01148
Common Vulnerability Exposure (CVE) ID: CVE-2020-4050
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4vpv-fgg2-gcqc
https://github.com/WordPress/wordpress-develop/commit/b8dea76b495f0072523106c6ec46b9ea0d2a0920
CopyrightCopyright (C) 2020 Greenbone Networks GmbH

This is only one of 85075 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2020 E-Soft Inc. All rights reserved.