Unrated severityNVD Advisory· Published Apr 30, 2020· Updated Aug 4, 2024

Cross-site scripting (XSS) in Search block in WordPress

CVE-2020-11030

Description

In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Affected products

osv-coords2 versions
pkg:bitnami/wordpress pkg:bitnami/wordpress-multisite
< 5.4.1+ 1 more
- (no CPE)range: < 5.4.1
- (no CPE)range: < 5.4.1
WordPress/WordPressv5
Range: >= 5.4.0, < 5.4.1
Package: https://wordpress.org/plugins/wordpress

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.debian.org/security/2020/dsa-4677mitrevendor-advisoryx_refsource_DEBIAN
github.com/WordPress/wordpress-develop/security/advisories/GHSA-vccm-6gmc-qhjhmitrex_refsource_CONFIRM
wordpress.org/support/wordpress-version/version-5-4-1/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000