CVE-2020-11030

MEDIUM

WordPress <5.4.1 - Authenticated RCE

Title source: llm

Description

In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

References (3)

[Third Party Advisory] https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-vccm-6gmc-qhjh

[Release Notes, Vendor Advisory] https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates

[Third Party Advisory] https://www.debian.org/security/2020/dsa-4677

Scores

CVSS v3 6.4

EPSS 0.0104

EPSS Percentile 77.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79 CWE-707

Status published

Affected Products (3)

wordpress/wordpress < 5.4.1

debian/debian_linux

Timeline

Published Apr 30, 2020

Tracked Since Feb 18, 2026