CVE-2020-28033

Description

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.

How to fix CVE-2020-28033

To remediate CVE-2020-28033, upgrade the affected package to a fixed version below.

• Bitnami/wordpress—upgrade to 5.5.2 or later
• Bitnami/wordpress-multisite—upgrade to 5.5.2 or later
• Debian/wordpress—upgrade to 5.5.3+dfsg1-1 or later

Is CVE-2020-28033 being exploited?

Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 5.5.2
• from 0, < 5.5.2
• from 0, < 5.5.3+dfsg1-1

CVSS scores

References (8)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-28033
• WEBlists.debian.org/debian-lts-announce/2020/11/msg00004.html
• WEBlists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHVNK2WYAM3ZTCXTFSEIT56IKLVJHU3/
• WEB