Vulnerability Name:

CVE-2020-11028 (CCN-181295)

Assigned:2020-04-30
Published:2020-04-30
Updated:2021-09-14
Summary:In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-306
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2020-11028

Source: XF
Type: UNKNOWN
wp-core-cve202011028-info-disc(181295)

Source: CCN
Type: WordPress GIT Repository
WordPress: Unauthenticated disclosure of certain private posts

Source: CONFIRM
Type: Third Party Advisory
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20200511 [SECURITY] [DLA 2208-1] wordpress security update

Source: MISC
Type: Release Notes, Vendor Advisory
https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates

Source: DEBIAN
Type: Third Party Advisory
DSA-4677

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-11028

Vulnerable Configuration:Configuration 1:
  • cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version < 5.4.1)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:wordpress:wordpress:5.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress:5.4:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    wordpress wordpress *
    debian debian linux 9.0
    debian debian linux 10.0
    debian debian linux 8.0
    wordpress wordpress 5.3.3
    wordpress wordpress 5.4