WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Vulnerabilities

WordPress < 5.5.2 - Cross-Site Request Forgery (CSRF) to Change Theme Background

Description

Erwan, a security researcher from the WPScan team, discovered and responsibly disclosed a Cross-Site Request Forgery (CSRF) vulnerability that could allow an unauthenticated attacker to change the background image of the theme. For a successful attack, a privileged authenticated WordPress user would need to visit a page the attack controls, for the CSRF attack to be executed.

Affects WordPress

5.5.1
Fixed in version 5.5.2
5.5
Fixed in version 5.5.2

References

CVE
CVE-2020-28040
URL
https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
URL
https://github.com/WordPress/wordpress-develop/commit/cbcc595974d5aaa025ca55625bf68ef286bd8b41
URL
https://blog.wpscan.com/wordpress-5-5-2-security-release/
URL
https://hackerone.com/reports/881855

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

ErwanLR from WPScan

Verified

Yes

WPVDB ID
ebd354db-ab63-4644-891c-4a200e9eef7e

Timeline

Publicly Published

2020-10-29 (about 2 years ago)

Added

2020-10-31 (about 2 years ago)

Last Updated

2021-10-22 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin