| VID |
22958 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
According to its self-reported version number, the installation of WordPress installed on the remote host is affected by multiple vulnerabilities:
- A deserialization vulnerability exists in wp-includes/Requests/Utility/FilteredIterator.php. An unauthenticated, remote attacker can exploit this, by sending specially crafted serialized payloads to an affected instance, to execute arbitrary code on the target host (CVE-2020-28032).
- Multiple privilege escalation vulnerabilities exist in the XML-RPC component of Wordpress. An unauthenticated, remote attacker can exploit these, to gain privileged access to an affected host (CVE-2020-28035, CVE-2020-28036).
- A remote code execution vulnerability exists in the is_blog_installed function of wp-includes/functions.php. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands (CVE-2020-28037)
* References:
https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
https://wordpress.org/support/wordpress-version/version-5-5-2/
* Platforms Affected:
WordPress prior to 5.5.2
Any operating system Any version |
| Recommendation |
Upgrade to the version (5.5.2 or later) fixed this vulnerability, available from the WordPress Download Web page at http://wordpress.org/download/ |
| Related URL |
CVE-2020-28032,CVE-2020-28033,CVE-2020-28034,CVE-2020-28035,CVE-2020-28036,CVE-2020-28037,CVE-2020-28038,CVE-2020-28040 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
