CVE-2020-4047

Name of the Vulnerable Software and Affected Versions WordPress versions prior to 5.4.2 WordPress versions 5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34

Description The issue is related to the injection of JavaScript into media file attachment pages by authenticated users with upload permissions, such as authors. This can lead to script execution in the context of a higher privileged user when the file is viewed by them.

Recommendations For WordPress versions prior to 5.4.2, update to version 5.4.2 or later to resolve the issue. For WordPress versions 5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34, update to the respective minor release or later to resolve the issue. As a temporary workaround, consider restricting upload permissions for users to minimize the risk of exploitation.