WordPress Vulnerabilities

WordPress < 5.5.2 - Protected Meta That Could Lead to Arbitrary File Deletion

Description

The release notes state:

"Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion."

Affects WordPress

5.5.1
Fixed in WordPress 5.5.2
5.5
Fixed in WordPress 5.5.2

References

CVE
CVE-2020-28039
URL
https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
URL
https://github.com/WordPress/wordpress-develop/commit/d5ddd6d4be1bc9fd16b7796842e6fb26315705ad
URL
https://blog.wpscan.com/2020/10/30/wordpress-5.5.2-security-release.html

Classification

Type
FILE DELETION
OWASP top 10
A6: Security Misconfiguration
CWE
CWE-73
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Slavco
Verified
No
WPVDB ID
30662254-5a8d-40d0-8a31-eb58b51b3c33

Timeline

Publicly Published
2020-10-29 (about 3 years ago)
Added
2020-10-29 (about 3 years ago)
Last Updated
2020-11-02 (about 3 years ago)

Other

Published
Title
Published
2023-03-28
Title
Easy Media Replace < 0.2.0 - Author+ File Deletion
Published
2022-11-30
Title
Easy WP SMTP < 1.5.2 - Admin+ Arbitrary File Deletion
Published
2022-08-03
Title
Download Manager < 3.2.51 - Contributor+ Arbitrary File Deletion
Published
2023-10-11
Title
AI ChatBot < 4.9.1 - Subscriber+ Arbitrary File Deletion
Published
2023-12-26
Title
Media File Renamer < 5.7.8 - Admin+ Remote Code Execution