CVE-2020-11027

Name of the Vulnerable Software and Affected Versions WordPress versions prior to 5.4.1 WordPress versions 5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33

Description A password reset link emailed to a user does not expire upon changing the user password, allowing access to the email account of the user by a malicious party for successful execution. The issue is related to the lack of a password reset mechanism and can be exploited by a remote attacker to gain access to confidential data and compromise its integrity.

Recommendations For versions prior to 5.4.1, update to version 5.4.1 or later to resolve the issue. For versions 5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33, update to the respective minor release or later to resolve the issue. As a temporary workaround, consider restricting access to the email account of the user to minimize the risk of exploitation.