Unrated severityNVD Advisory· Published Apr 30, 2020· Updated Aug 4, 2024

Authenticated cross-site scripting (XSS) in WordPress Customizer

CVE-2020-11025

Description

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Affected products

osv-coords2 versions
pkg:bitnami/wordpress pkg:bitnami/wordpress-multisite
>= 4.7.0, < 5.4.1+ 1 more
- (no CPE)range: >= 4.7.0, < 5.4.1
- (no CPE)range: >= 4.7.0, < 5.4.1
WordPress/WordPressv5
Range: >= 5.4.0, < 5.4.1
Package: https://wordpress.org/plugins/wordpress

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.debian.org/security/2020/dsa-4677mitrevendor-advisoryx_refsource_DEBIAN
github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3cmitrex_refsource_CONFIRM
wordpress.org/support/wordpress-version/version-5-4-1/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000