WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Vulnerabilities

WordPress < 5.5.2 - Cross-Site Request Forgery (CSRF) to Change Theme Background

Description

Erwan, a security researcher from the WPScan team, discovered and responsibly disclosed a Cross-Site Request Forgery (CSRF) vulnerability that could allow an unauthenticated attacker to change the background image of the theme. For a successful attack, a privileged authenticated WordPress user would need to visit a page the attack controls, for the CSRF attack to be executed.

Affects WordPress

5.5.1
Fixed in version 5.5.2
5.5
Fixed in version 5.5.2

References

CVE
CVE-2020-28040
URL
https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
URL
https://github.com/WordPress/wordpress-develop/commit/cbcc595974d5aaa025ca55625bf68ef286bd8b41
URL
https://blog.wpscan.com/wordpress-5-5-2-security-release/
URL
https://hackerone.com/reports/881855

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

ErwanLR from WPScan

Verified

Yes

WPVDB ID
ebd354db-ab63-4644-891c-4a200e9eef7e

Timeline

Publicly Published

2020-10-29 (about 2 years ago)

Added

2020-10-31 (about 2 years ago)

Last Updated

2021-10-22 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us