SB20200611187 - Fedora EPEL 6 update for wordpress

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20200611187

SB20200611187 - Fedora EPEL 6 update for wordpress

Published: June 11, 2020 Updated: April 25, 2025

Security Bulletin ID SB20200611187
Severity
Low
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2020-4046)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user is able to add JavaScript to posts in the block editor and execute arbitrary script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


2) Cross-site scripting (CVE-ID: CVE-2020-4047)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user with upload permissions is able to add JavaScript to media files and execute arbitrary script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


3) Open redirect (CVE-ID: CVE-2020-4048)

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data to wp_validate_redirect(). A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.


4) Cross-site scripting (CVE-ID: CVE-2020-4049)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data via theme uploads. A remote user can execute arbitrary script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-4050)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass where set-screen-option can be misused by plugins. A remote attacker can escalate privileges within the application.


Remediation

Install update from vendor's website.

References