{ "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-11029", "STATE": "PUBLIC", "TITLE": "Cross-site scripting in stats method (object cache) in WordPress" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "WordPress", "version": { "version_data": [ { "version_value": ">= 5.4.0, < 5.4.1" }, { "version_value": ">= 5.3.0, < 5.3.3" }, { "version_value": ">= 5.2.0, < 5.2.6" }, { "version_value": ">= 5.1.0, < 5.1.5" }, { "version_value": ">= 5.0.0, < 5.0.9" }, { "version_value": ">= 4.9.0, < 4.9.14" }, { "version_value": ">= 4.8.0, < 4.8.13" }, { "version_value": ">= 4.7.0, < 4.7.17" }, { "version_value": ">= 4.6.0, < 4.6.18" }, { "version_value": ">= 4.5.0, < 4.5.21" }, { "version_value": ">= 4.4.0, < 4.4.22" }, { "version_value": ">= 4.3.0, < 4.3.23" }, { "version_value": ">= 4.2.0, < 4.2.27" }, { "version_value": ">= 4.1.0, < 4.1.30" }, { "version_value": ">= 4.0.0, < 4.0.30" }, { "version_value": ">= 3.9.0, < 3.9.31" }, { "version_value": ">= 3.8.0, < 3.8.33" }, { "version_value": ">= 3.7.0, < 3.7.33" } ] } } ] }, "vendor_name": "WordPress" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33)." } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" } ] } ] }, "references": { "reference_data": [ { "name": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates", "refsource": "MISC", "url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates" }, { "name": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c", "refsource": "CONFIRM", "url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c" }, { "refsource": "DEBIAN", "name": "DSA-4677", "url": "https://www.debian.org/security/2020/dsa-4677" }, { "refsource": "MLIST", "name": "[debian-lts-announce] 20200511 [SECURITY] [DLA 2208-1] wordpress security update", "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html" } ] }, "source": { "advisory": "GHSA-568w-8m88-8g2c", "discovery": "UNKNOWN" } }