WordPress Vulnerabilities

WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Customizer

Description

Authenticated users could corrupt JSON data in the Customizer of other users' to inject malicious JavaScript.

Affects WordPress

5.4
Fixed in WordPress 5.4.1
5.3.2
Fixed in WordPress 5.3.3
5.3.1
Fixed in WordPress 5.3.3
5.3
Fixed in WordPress 5.3.3
5.2.5
Fixed in WordPress 5.2.6
5.2.4
Fixed in WordPress 5.2.6
5.2.3
Fixed in WordPress 5.2.6
5.2.2
Fixed in WordPress 5.2.6
5.2.1
Fixed in WordPress 5.2.6
5.2
Fixed in WordPress 5.2.6
5.1.4
Fixed in WordPress 5.1.5
5.1.3
Fixed in WordPress 5.1.5
5.1.2
Fixed in WordPress 5.1.5
5.1.1
Fixed in WordPress 5.1.5
5.1
Fixed in WordPress 5.1.5
5.0.8
Fixed in WordPress 5.0.9
5.0.7
Fixed in WordPress 5.0.9
5.0.6
Fixed in WordPress 5.0.9
5.0.4
Fixed in WordPress 5.0.9
5.0.3
Fixed in WordPress 5.0.9
5.0.2
Fixed in WordPress 5.0.9
5.0.1
Fixed in WordPress 5.0.9
5.0
Fixed in WordPress 5.0.9
4.9.9
Fixed in WordPress 4.9.14
4.9.8
Fixed in WordPress 4.9.14
4.9.7
Fixed in WordPress 4.9.14
4.9.6
Fixed in WordPress 4.9.14
4.9.5
Fixed in WordPress 4.9.14
4.9.4
Fixed in WordPress 4.9.14
4.9.3
Fixed in WordPress 4.9.14
4.9.2
Fixed in WordPress 4.9.14
4.9.13
Fixed in WordPress 4.9.14
4.9.12
Fixed in WordPress 4.9.14
4.9.11
Fixed in WordPress 4.9.14
4.9.10
Fixed in WordPress 4.9.14
4.9.1
Fixed in WordPress 4.9.14
4.9
Fixed in WordPress 4.9.14
4.8.9
Fixed in WordPress 4.8.13
4.8.8
Fixed in WordPress 4.8.13
4.8.7
Fixed in WordPress 4.8.13
4.8.6
Fixed in WordPress 4.8.13
4.8.5
Fixed in WordPress 4.8.13
4.8.4
Fixed in WordPress 4.8.13
4.8.3
Fixed in WordPress 4.8.13
4.8.2
Fixed in WordPress 4.8.13
4.8.12
Fixed in WordPress 4.8.13
4.8.11
Fixed in WordPress 4.8.13
4.8.10
Fixed in WordPress 4.8.13
4.8.1
Fixed in WordPress 4.8.13
4.8
Fixed in WordPress 4.8.13
4.7.9
Fixed in WordPress 4.7.17
4.7.8
Fixed in WordPress 4.7.17
4.7.7
Fixed in WordPress 4.7.17
4.7.6
Fixed in WordPress 4.7.17
4.7.5
Fixed in WordPress 4.7.17
4.7.4
Fixed in WordPress 4.7.17
4.7.3
Fixed in WordPress 4.7.17
4.7.2
Fixed in WordPress 4.7.17
4.7.16
Fixed in WordPress 4.7.17
4.7.15
Fixed in WordPress 4.7.17
4.7.14
Fixed in WordPress 4.7.17
4.7.13
Fixed in WordPress 4.7.17
4.7.12
Fixed in WordPress 4.7.17
4.7.11
Fixed in WordPress 4.7.17
4.7.10
Fixed in WordPress 4.7.17
4.7.1
Fixed in WordPress 4.7.17
4.7
Fixed in WordPress 4.7.17
4.6.9
Fixed in WordPress 4.6.18
4.6.8
Fixed in WordPress 4.6.18
4.6.7
Fixed in WordPress 4.6.18
4.6.6
Fixed in WordPress 4.6.18
4.6.5
Fixed in WordPress 4.6.18
4.6.4
Fixed in WordPress 4.6.18
4.6.3
Fixed in WordPress 4.6.18
4.6.2
Fixed in WordPress 4.6.18
4.6.17
Fixed in WordPress 4.6.18
4.6.16
Fixed in WordPress 4.6.18
4.6.15
Fixed in WordPress 4.6.18
4.6.14
Fixed in WordPress 4.6.18
4.6.13
Fixed in WordPress 4.6.18
4.6.12
Fixed in WordPress 4.6.18
4.6.11
Fixed in WordPress 4.6.18
4.6.10
Fixed in WordPress 4.6.18
4.6.1
Fixed in WordPress 4.6.18
4.6
Fixed in WordPress 4.6.18
4.5.9
Fixed in WordPress 4.5.21
4.5.8
Fixed in WordPress 4.5.21
4.5.7
Fixed in WordPress 4.5.21
4.5.6
Fixed in WordPress 4.5.21
4.5.5
Fixed in WordPress 4.5.21
4.5.4
Fixed in WordPress 4.5.21
4.5.3
Fixed in WordPress 4.5.21
4.5.20
Fixed in WordPress 4.5.21
4.5.2
Fixed in WordPress 4.5.21
4.5.19
Fixed in WordPress 4.5.21
4.5.18
Fixed in WordPress 4.5.21
4.5.17
Fixed in WordPress 4.5.21
4.5.16
Fixed in WordPress 4.5.21
4.5.15
Fixed in WordPress 4.5.21
4.5.14
Fixed in WordPress 4.5.21
4.5.13
Fixed in WordPress 4.5.21
4.5.12
Fixed in WordPress 4.5.21
4.5.11
Fixed in WordPress 4.5.21
4.5.10
Fixed in WordPress 4.5.21
4.5.1
Fixed in WordPress 4.5.21
4.5
Fixed in WordPress 4.5.21
4.4.9
Fixed in WordPress 4.4.22
4.4.8
Fixed in WordPress 4.4.22
4.4.7
Fixed in WordPress 4.4.22
4.4.6
Fixed in WordPress 4.4.22
4.4.5
Fixed in WordPress 4.4.22
4.4.4
Fixed in WordPress 4.4.22
4.4.3
Fixed in WordPress 4.4.22
4.4.21
Fixed in WordPress 4.4.22
4.4.20
Fixed in WordPress 4.4.22
4.4.2
Fixed in WordPress 4.4.22
4.4.19
Fixed in WordPress 4.4.22
4.4.18
Fixed in WordPress 4.4.22
4.4.17
Fixed in WordPress 4.4.22
4.4.16
Fixed in WordPress 4.4.22
4.4.15
Fixed in WordPress 4.4.22
4.4.14
Fixed in WordPress 4.4.22
4.4.13
Fixed in WordPress 4.4.22
4.4.12
Fixed in WordPress 4.4.22
4.4.11
Fixed in WordPress 4.4.22
4.4.10
Fixed in WordPress 4.4.22
4.4.1
Fixed in WordPress 4.4.22
4.4
Fixed in WordPress 4.4.22
4.3.9
Fixed in WordPress 4.3.23
4.3.8
Fixed in WordPress 4.3.23
4.3.7
Fixed in WordPress 4.3.23
4.3.6
Fixed in WordPress 4.3.23
4.3.5
Fixed in WordPress 4.3.23
4.3.4
Fixed in WordPress 4.3.23
4.3.3
Fixed in WordPress 4.3.23
4.3.22
Fixed in WordPress 4.3.23
4.3.21
Fixed in WordPress 4.3.23
4.3.20
Fixed in WordPress 4.3.23
4.3.2
Fixed in WordPress 4.3.23
4.3.19
Fixed in WordPress 4.3.23
4.3.18
Fixed in WordPress 4.3.23
4.3.17
Fixed in WordPress 4.3.23
4.3.16
Fixed in WordPress 4.3.23
4.3.15
Fixed in WordPress 4.3.23
4.3.14
Fixed in WordPress 4.3.23
4.3.13
Fixed in WordPress 4.3.23
4.3.12
Fixed in WordPress 4.3.23
4.3.11
Fixed in WordPress 4.3.23
4.3.10
Fixed in WordPress 4.3.23
4.3.1
Fixed in WordPress 4.3.23
4.3
Fixed in WordPress 4.3.23
4.2.9
Fixed in WordPress 4.2.27
4.2.8
Fixed in WordPress 4.2.27
4.2.7
Fixed in WordPress 4.2.27
4.2.6
Fixed in WordPress 4.2.27
4.2.5
Fixed in WordPress 4.2.27
4.2.4
Fixed in WordPress 4.2.27
4.2.3
Fixed in WordPress 4.2.27
4.2.26
Fixed in WordPress 4.2.27
4.2.25
Fixed in WordPress 4.2.27
4.2.24
Fixed in WordPress 4.2.27
4.2.23
Fixed in WordPress 4.2.27
4.2.22
Fixed in WordPress 4.2.27
4.2.21
Fixed in WordPress 4.2.27
4.2.20
Fixed in WordPress 4.2.27
4.2.2
Fixed in WordPress 4.2.27
4.2.19
Fixed in WordPress 4.2.27
4.2.18
Fixed in WordPress 4.2.27
4.2.17
Fixed in WordPress 4.2.27
4.2.16
Fixed in WordPress 4.2.27
4.2.15
Fixed in WordPress 4.2.27
4.2.14
Fixed in WordPress 4.2.27
4.2.13
Fixed in WordPress 4.2.27
4.2.12
Fixed in WordPress 4.2.27
4.2.11
Fixed in WordPress 4.2.27
4.2.10
Fixed in WordPress 4.2.27
4.2.1
Fixed in WordPress 4.2.27
4.2
Fixed in WordPress 4.2.27
4.1.9
Fixed in WordPress 4.1.30
4.1.8
Fixed in WordPress 4.1.30
4.1.7
Fixed in WordPress 4.1.30
4.1.6
Fixed in WordPress 4.1.30
4.1.5
Fixed in WordPress 4.1.30
4.1.4
Fixed in WordPress 4.1.30
4.1.3
Fixed in WordPress 4.1.30
4.1.29
Fixed in WordPress 4.1.30
4.1.28
Fixed in WordPress 4.1.30
4.1.27
Fixed in WordPress 4.1.30
4.1.26
Fixed in WordPress 4.1.30
4.1.25
Fixed in WordPress 4.1.30
4.1.24
Fixed in WordPress 4.1.30
4.1.23
Fixed in WordPress 4.1.30
4.1.22
Fixed in WordPress 4.1.30
4.1.21
Fixed in WordPress 4.1.30
4.1.20
Fixed in WordPress 4.1.30
4.1.2
Fixed in WordPress 4.1.30
4.1.19
Fixed in WordPress 4.1.30
4.1.18
Fixed in WordPress 4.1.30
4.1.17
Fixed in WordPress 4.1.30
4.1.16
Fixed in WordPress 4.1.30
4.1.15
Fixed in WordPress 4.1.30
4.1.14
Fixed in WordPress 4.1.30
4.1.13
Fixed in WordPress 4.1.30
4.1.12
Fixed in WordPress 4.1.30
4.1.11
Fixed in WordPress 4.1.30
4.1.10
Fixed in WordPress 4.1.30
4.1.1
Fixed in WordPress 4.1.30
4.1
Fixed in WordPress 4.1.30
4.0.9
Fixed in WordPress 4.0.30
4.0.8
Fixed in WordPress 4.0.30
4.0.7
Fixed in WordPress 4.0.30
4.0.6
Fixed in WordPress 4.0.30
4.0.5
Fixed in WordPress 4.0.30
4.0.4
Fixed in WordPress 4.0.30
4.0.3
Fixed in WordPress 4.0.30
4.0.29
Fixed in WordPress 4.0.30
4.0.28
Fixed in WordPress 4.0.30
4.0.27
Fixed in WordPress 4.0.30
4.0.26
Fixed in WordPress 4.0.30
4.0.25
Fixed in WordPress 4.0.30
4.0.24
Fixed in WordPress 4.0.30
4.0.23
Fixed in WordPress 4.0.30
4.0.22
Fixed in WordPress 4.0.30
4.0.21
Fixed in WordPress 4.0.30
4.0.20
Fixed in WordPress 4.0.30
4.0.2
Fixed in WordPress 4.0.30
4.0.19
Fixed in WordPress 4.0.30
4.0.18
Fixed in WordPress 4.0.30
4.0.17
Fixed in WordPress 4.0.30
4.0.16
Fixed in WordPress 4.0.30
4.0.15
Fixed in WordPress 4.0.30
4.0.14
Fixed in WordPress 4.0.30
4.0.13
Fixed in WordPress 4.0.30
4.0.12
Fixed in WordPress 4.0.30
4.0.11
Fixed in WordPress 4.0.30
4.0.10
Fixed in WordPress 4.0.30
4.0.1
Fixed in WordPress 4.0.30
4.0
Fixed in WordPress 4.0.30
3.9.9
Fixed in WordPress 3.9.31
3.9.8
Fixed in WordPress 3.9.31
3.9.7
Fixed in WordPress 3.9.31
3.9.6
Fixed in WordPress 3.9.31
3.9.5
Fixed in WordPress 3.9.31
3.9.4
Fixed in WordPress 3.9.31
3.9.30
Fixed in WordPress 3.9.31
3.9.3
Fixed in WordPress 3.9.31
3.9.29
Fixed in WordPress 3.9.31
3.9.28
Fixed in WordPress 3.9.31
3.9.27
Fixed in WordPress 3.9.31
3.9.26
Fixed in WordPress 3.9.31
3.9.25
Fixed in WordPress 3.9.31
3.9.24
Fixed in WordPress 3.9.31
3.9.23
Fixed in WordPress 3.9.31
3.9.22
Fixed in WordPress 3.9.31
3.9.21
Fixed in WordPress 3.9.31
3.9.20
Fixed in WordPress 3.9.31
3.9.2
Fixed in WordPress 3.9.31
3.9.19
Fixed in WordPress 3.9.31
3.9.18
Fixed in WordPress 3.9.31
3.9.17
Fixed in WordPress 3.9.31
3.9.16
Fixed in WordPress 3.9.31
3.9.15
Fixed in WordPress 3.9.31
3.9.14
Fixed in WordPress 3.9.31
3.9.13
Fixed in WordPress 3.9.31
3.9.12
Fixed in WordPress 3.9.31
3.9.11
Fixed in WordPress 3.9.31
3.9.10
Fixed in WordPress 3.9.31
3.9.1
Fixed in WordPress 3.9.31
3.9
Fixed in WordPress 3.9.31
3.8.9
Fixed in WordPress 3.8.33
3.8.8
Fixed in WordPress 3.8.33
3.8.7
Fixed in WordPress 3.8.33
3.8.6
Fixed in WordPress 3.8.33
3.8.5
Fixed in WordPress 3.8.33
3.8.4
Fixed in WordPress 3.8.33
3.8.32
Fixed in WordPress 3.8.33
3.8.31
Fixed in WordPress 3.8.33
3.8.30
Fixed in WordPress 3.8.33
3.8.3
Fixed in WordPress 3.8.33
3.8.29
Fixed in WordPress 3.8.33
3.8.28
Fixed in WordPress 3.8.33
3.8.27
Fixed in WordPress 3.8.33
3.8.26
Fixed in WordPress 3.8.33
3.8.25
Fixed in WordPress 3.8.33
3.8.24
Fixed in WordPress 3.8.33
3.8.23
Fixed in WordPress 3.8.33
3.8.22
Fixed in WordPress 3.8.33
3.8.21
Fixed in WordPress 3.8.33
3.8.20
Fixed in WordPress 3.8.33
3.8.2
Fixed in WordPress 3.8.33
3.8.19
Fixed in WordPress 3.8.33
3.8.18
Fixed in WordPress 3.8.33
3.8.17
Fixed in WordPress 3.8.33
3.8.16
Fixed in WordPress 3.8.33
3.8.15
Fixed in WordPress 3.8.33
3.8.14
Fixed in WordPress 3.8.33
3.8.13
Fixed in WordPress 3.8.33
3.8.12
Fixed in WordPress 3.8.33
3.8.11
Fixed in WordPress 3.8.33
3.8.10
Fixed in WordPress 3.8.33
3.8.1
Fixed in WordPress 3.8.33
3.8
Fixed in WordPress 3.8.33
3.7.9
Fixed in WordPress 3.7.33
3.7.8
Fixed in WordPress 3.7.33
3.7.7
Fixed in WordPress 3.7.33
3.7.6
Fixed in WordPress 3.7.33
3.7.5
Fixed in WordPress 3.7.33
3.7.4
Fixed in WordPress 3.7.33
3.7.32
Fixed in WordPress 3.7.33
3.7.31
Fixed in WordPress 3.7.33
3.7.30
Fixed in WordPress 3.7.33
3.7.3
Fixed in WordPress 3.7.33
3.7.29
Fixed in WordPress 3.7.33
3.7.28
Fixed in WordPress 3.7.33
3.7.27
Fixed in WordPress 3.7.33
3.7.26
Fixed in WordPress 3.7.33
3.7.25
Fixed in WordPress 3.7.33
3.7.24
Fixed in WordPress 3.7.33
3.7.23
Fixed in WordPress 3.7.33
3.7.22
Fixed in WordPress 3.7.33
3.7.21
Fixed in WordPress 3.7.33
3.7.20
Fixed in WordPress 3.7.33
3.7.2
Fixed in WordPress 3.7.33
3.7.19
Fixed in WordPress 3.7.33
3.7.18
Fixed in WordPress 3.7.33
3.7.17
Fixed in WordPress 3.7.33
3.7.16
Fixed in WordPress 3.7.33
3.7.15
Fixed in WordPress 3.7.33
3.7.14
Fixed in WordPress 3.7.33
3.7.13
Fixed in WordPress 3.7.33
3.7.12
Fixed in WordPress 3.7.33
3.7.11
Fixed in WordPress 3.7.33
3.7.10
Fixed in WordPress 3.7.33
3.7.1
Fixed in WordPress 3.7.33
3.7
Fixed in WordPress 3.7.33

References

CVE
CVE-2020-11025
URL
https://wordpress.org/news/2020/04/wordpress-5-4-1/
URL
https://core.trac.wordpress.org/changeset/47633/
URL
https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
URL
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.7 (low)

Miscellaneous

Original Researcher
Evan Ricafort
Submitter
Ryan
Verified
No
WPVDB ID
4eee26bd-a27e-4509-a3a5-8019dd48e429

Timeline

Publicly Published
2020-04-29 (about 5 years ago)
Added
2020-04-30 (about 5 years ago)
Last Updated
2020-05-02 (about 5 years ago)

Other

Published
Title
Published
2014-08-01
Title
wp-topbar <= 3.04 - XSS in ZeroClipboard.swf
Published
2024-05-14
Title
Mega Elements < 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget
Published
2023-08-16
Title
Stock Exporter for WooCommerce < 1.2.0 - Reflected XSS
Published
2024-12-30
Title
Music Store – WordPress eCommerce < 1.2.0 - Reflected Cross-Site Scripting
Published
2023-09-04
Title
wpShopGermany – Protected Shops < 2.1 - Admin+ Stored XSS