CVE-2020-4049

Name of the Vulnerable Software and Affected Versions WordPress versions prior to 5.4.2 WordPress versions 3.7.34 through 5.3.4

Description The issue is related to the lack of neutralization of script-related HTML tags on a web page, which can be exploited by a remote attacker to compromise data integrity. Additionally, when uploading themes, the name of the theme folder can be crafted to lead to JavaScript execution in /wp-admin on the themes page, requiring an admin to upload the theme. This is a low severity self-XSS issue. The vulnerability can also be exploited to bypass authentication, allowing a remote attacker to access confidential data, compromise its integrity, and cause a denial of service.

Recommendations For WordPress versions prior to 5.4.2, update to version 5.4.2 or later to resolve the issue. For WordPress versions 3.7.34 through 5.3.4, update to the corresponding minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34) to resolve the issue. As a temporary workaround, consider restricting access to the theme upload feature to minimize the risk of exploitation.