BIT-wordpress-multisite-2020-11026

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/wordpress-multisite/BIT-wordpress-multisite-2020-11026.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-wordpress-multisite-2020-11026

Aliases

Published

2024-03-06T11:12:06.466Z

Modified

2024-11-27T19:40:48.342Z

Summary

[none]

Details

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Database specific

{
    "cpes": [
        "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:wordpress:wordpress:5.4:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / wordpress-multisite

Package

Name: wordpress-multisite
Purl: pkg:bitnami/wordpress-multisite

Severity

8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

3.7.0

Fixed

3.7.33

Introduced

3.8.0

Fixed

3.8.33

Introduced

3.9.0

Fixed

3.9.31

Introduced

4.0.0

Fixed

4.0.30

Introduced

4.1.0

Fixed

4.1.30

Introduced

4.2.0

Fixed

4.2.27

Introduced

4.3.0

Fixed

4.3.23

Introduced

4.4.0

Fixed

4.4.22

Introduced

4.5.0

Fixed

4.5.21

Introduced

4.6.0

Fixed

4.6.18

Introduced

4.7.0

Fixed

4.7.17

Introduced

4.8.0

Fixed

4.8.13

Introduced

4.9.0

Fixed

4.9.14

Introduced

5.0.0

Fixed

5.0.9

Introduced

5.1.0

Fixed

5.1.5

Introduced

5.2.0

Fixed

5.2.6

Introduced

5.3.0

Fixed

5.3.3

Type: SEMVER
Events: Introduced

5.4.0

Last affected

5.4.0