WordPress Vulnerabilities

WordPress < 5.5.2 - Hardening Deserialization Requests

Description

The release notes state:

"Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests."

This vulnerability affected the third-party "Requests for PHP" library used by WordPress.

Affects WordPress

5.5.1
Fixed in WordPress 5.5.2
5.5
Fixed in WordPress 5.5.2

References

CVE
CVE-2020-28032
URL
https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
URL
https://github.com/WordPress/wordpress-develop/commit/add6bedf3a53b647d0ebda2970057912d3cd79d3
URL
https://blog.wpscan.com/2020/10/30/wordpress-5.5.2-security-release.html
URL
https://github.com/WordPress/Requests/security/advisories/GHSA-52qp-jpq7-6c54

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
0.0 (none)

Miscellaneous

Original Researcher
Alex Concha of the WordPress Security Team
Verified
No
WPVDB ID
f2bd06cf-f4e9-4077-90b0-fba80c3d0969

Timeline

Publicly Published
2020-10-29 (about 3 years ago)
Added
2020-10-29 (about 3 years ago)
Last Updated
2021-04-29 (about 3 years ago)

Other

Published
Title
Published
2023-04-12
Title
ChatBot < 4.4.7 - Unauthenticated PHP Object Injection
Published
2019-04-16
Title
Option Tree < 2.7.0 - PHP Object Injection
Published
2024-04-03
Title
CMB2 < 2.11.0 - Authenticated (Contributor+) PHP Object Injection
Published
2024-03-26
Title
Link Whisper Free < 0.7.2 - Authenticated (Contributor+) PHP Object Injection
Published
2018-03-12
Title
Newsletters Lite < 4.6.8.6 - PHP Object Injection