CVE-2020-11025

Authenticated cross-site scripting (XSS) in WordPress Customizer

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

We have discovered 252,236 live websites that are affected by CVE-2020-11025.

Test my site



Affected Software

Product  WordPress
Category Content Management System
Vulnerable Domains252,236 live websites (2.74% of WordPress install base)
Vulnerable Versions
  • from 3.7 before 3.7.33
  • from 3.8 before 3.8.33
  • from 3.9 before 3.9.31
  • from 4 before 4.0.30
  • from 4.1 before 4.1.30
  • from 4.2 before 4.2.27
  • from 4.3 before 4.3.23
  • from 4.4 before 4.4.22
  • from 4.5 before 4.5.21
  • from 4.6 before 4.6.18
  • from 4.7 before 4.7.17
  • from 4.8 before 4.8.13
  • from 4.9 before 4.9.14
  • from 5 before 5.0.9
  • from 5.1 before 5.1.5
  • from 5.2 before 5.2.6
  • from 5.3 before 5.3.3
  • from 5.4 before 5.4.1
Vulnerable Versions Count346 versions ( 37.16% of all versions)


Common Weakness Enumeration

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')



Details

  • Published - May 1, 2020
  • Updated - Aug 4, 2024

CVE-2020-11025 usage by Country

United States77,124 websites


Japan25,515 websites
Germany19,657 websites
Russia13,501 websites
France12,866 websites
Poland8,230 websites
GB7,695 websites
Netherlands6,876 websites
Italy6,395 websites
Canada6,190 websites

CVE-2020-11025 usage by TLD

.com103,081 websites
.ru13,431 websites
.org11,344 websites
.de9,491 websites
.net9,147 websites
.pl6,446 websites
.co.uk5,782 websites
.jp5,737 websites
.nl5,406 websites
.fr5,312 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2020-11025

Top websites that are affected by CVE-2020-11025. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
****.******.com Singapore***
*********.net United States***
****.org United States*,***
****************.com United States*,***
**********.com United States**,***
**********.name United States**,***
******.com United States**,***
********.com France**,***
*********.org **,***
*********.kz Kazakhstan**,***
See full domain list

FAQ

CVE-2020-11025 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WordPress
A total of 252,236 websites have been identified as vulnerable to CVE-2020-11025, discovered through global website indexing conducted by WebTechSurvey.
WordPress is susceptible to CVE-2020-11025 vulnerability.
WordPress versions before 5.4.1 are vulnerable to CVE-2020-11025.
Version 5.4.1 of WordPress addresses the CVE-2020-11025 security vulnerability.