CVE-2020-28036

Description

wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.

How to fix CVE-2020-28036

To remediate CVE-2020-28036, upgrade the affected package to a fixed version below.

• Bitnami/wordpress—upgrade to 5.5.2 or later
• Bitnami/wordpress-multisite—upgrade to 5.5.2 or later
• Debian/wordpress—upgrade to 5.5.3+dfsg1-1 or later

Is CVE-2020-28036 being exploited?

Moderate — EPSS is 6.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

• from 0, < 5.5.2
• from 0, < 5.5.2
• from 0, < 5.5.3+dfsg1-1

CVSS scores

References (10)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-28036
• WEBgithub.com/WordPress/wordpress-develop/commit/c9e6b98968025b1629015998d12c3102165a7d32
• WEBlists.debian.org/debian-lts-announce/2020/11/msg00004.html
• WEBlists.fedoraproject.org