CVE-2020-11025

Description

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

How to fix CVE-2020-11025

To remediate CVE-2020-11025, upgrade the affected package to a fixed version below.

• —upgrade to 5.4.1 or later
• —upgrade to 5.4.1 or later
• —upgrade to 5.4.1+dfsg1-1 or later
• —upgrade to 4.7.5+dfsg-2+deb9u6 or later

Is CVE-2020-11025 being exploited?

Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• >= 4.7.0, < 5.4.1
• >= 4.7.0, < 5.4.1
• from 0, < 5.4.1+dfsg1-1
• from 0, < 4.7.5+dfsg-2+deb9u6

CVSS scores

References (5)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-11025
• WEBgithub.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c
• WEBnvd.nist.gov/vuln/detail/CVE-2020-11025
• WEBwordpress.org/support/wordpress-version/version-5-4-1/#security-updates