Home > Vulnerability Database > CVE-2020-11025

Mend.io Vulnerability Database

CVE-2020-11025

Date: April 30, 2020

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Severity Score

5.8

Related Resources (7)

Url: https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11025

Url: https://security-tracker.debian.org/tracker/CVE-2020-11025

Url: https://www.debian.org/security/2020/dsa-4677

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-11025

Url: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c

Url: https://www.mend.io/vulnerability-database/CVE-2020-11025

Severity Score

5.8

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:	5.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	3.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	SINGLE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-11025

Date: April 30, 2020

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?