CVE-2020-11030
Cross-site scripting (XSS) in Search block in WordPress
5.4
MEDIUM
CVSS 3.1
EPSS 1.0%
Description
In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
How to fix CVE-2020-11030
To remediate CVE-2020-11030, upgrade the affected package to a fixed version below.
- —upgrade to 5.4.1 or later
- —upgrade to 5.4.1 or later
- —upgrade to 5.4.1+dfsg1-1 or later
Is CVE-2020-11030 being exploited?
Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 5.4.1
- from 0, < 5.4.1
- from 0, < 5.4.1+dfsg1-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |