Vulnerability Name:

CVE-2020-4049 (CCN-183388)

Assigned:2019-12-30
Published:2020-06-12
Updated:2020-12-23
Summary:In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
CVSS v3 Severity:2.4 Low (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N)
2.3 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
5.4 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-80
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2020-4049

Source: XF
Type: UNKNOWN
wp-cve20204049-xss(183388)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/WordPress/wordpress-develop/commit/404f397b4012fd9d382e55bf7d206c1317f01148

Source: CCN
Type: WordPress GIT Repository
WordPress: Authenticated self-XSS via theme uploads

Source: CONFIRM
Type: Third Party Advisory
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-87h4-phjv-rm6p

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20200701 [SECURITY] [DLA 2269-1] wordpress security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20200911 [SECURITY] [DLA 2371-1] wordpress security update

Source: FEDORA
Type: Third Party Advisory
FEDORA-2020-bbedd29391

Source: FEDORA
Type: Third Party Advisory
FEDORA-2020-8447a3e195

Source: CCN
Type: WordPress Web site
WordPress.com (Official Site) - Create A Beautiful Website?

Source: MISC
Type: Vendor Advisory
https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/

Source: DEBIAN
Type: Third Party Advisory
DSA-4709

Vulnerable Configuration:Configuration 1:
  • cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version >= 3.7 and < 3.7.34)
  • OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version >= 3.8 and < 3.8.34)
  • OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version >= 3.9 and < 3.9.32)
  • OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version >= 4.0 and < 4.0.31)
  • OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version >= 4.1 and < 4.1.31)
  • OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version >= 4.2 and < 4.2.28)
  • OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version >= 4.3 and < 4.3.24)
  • OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version >= 4.4 and < 4.4.23)
  • OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version >= 4.5 and < 4.5.22)
  • OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version >= 4.6 and < 4.6.19)
  • OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version >= 4.7 and < 4.7.18)
  • OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version >= 4.8 and < 4.8.14)
  • OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version >= 4.9 and < 4.9.15)
  • OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version >= 5.0 and < 5.0.10)
  • OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version >= 5.1 and < 5.1.6)
  • OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version >= 5.2 and < 5.2.7)
  • OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version >= 5.3.0 and < 5.3.4)
  • OR cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version >= 5.4 and < 5.4.2)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:31:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:bufferapp:digg_digg:5.3.4:*:*:*:*:wordpress:*:*

    • * Denotes that component is vulnerable
    BACK
    wordpress wordpress *
    wordpress wordpress *
    wordpress wordpress *
    wordpress wordpress *
    wordpress wordpress *
    wordpress wordpress *
    wordpress wordpress *
    wordpress wordpress *
    wordpress wordpress *
    wordpress wordpress *
    wordpress wordpress *
    wordpress wordpress *
    wordpress wordpress *
    wordpress wordpress *
    wordpress wordpress *
    wordpress wordpress *
    wordpress wordpress *
    wordpress wordpress *
    fedoraproject fedora 31
    fedoraproject fedora 32
    debian debian linux 8.0
    debian debian linux 9.0
    debian debian linux 10.0
    bufferapp digg digg 5.3.4