CVE-2020-11027

MEDIUM

WordPress <5.4.1 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-11027. PoCs published by Amirhossein Bahramizadeh.

AI-analyzed exploit summary This exploit demonstrates a weak password recovery mechanism in WordPress Theme Medic v1.0.0 by checking if the password reset link expires upon changing the user password. It retrieves the reset link from an email and verifies its expiration time.

Description

In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Exploits (1)

exploitdb WORKING POC
by Amirhossein Bahramizadeh · pythonwebappsphp
https://www.exploit-db.com/exploits/51531

This exploit demonstrates a weak password recovery mechanism in WordPress Theme Medic v1.0.0 by checking if the password reset link expires upon changing the user password. It retrieves the reset link from an email and verifies its expiration time.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: WordPress Theme Medic v1.0.0
No auth needed
Prerequisites: Access to the target WordPress site · User email address · Password reset email
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 6.1
EPSS 0.1421
EPSS Percentile 96.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Details

CWE
CWE-640 CWE-672
Status published
Products (5)
debian/debian_linux 8.0
debian/debian_linux 9.0
debian/debian_linux 10.0
wordpress/wordpress 5.4
wordpress/wordpress 3.7 - 3.7.33
Published Apr 30, 2020
Tracked Since Feb 18, 2026