CVE-2020-11026

Specially crafted filenames in WordPress leading to XSS

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

We have discovered 252,236 live websites that are affected by CVE-2020-11026.

Test my site



Affected Software

Product  WordPress
Category Content Management System
Vulnerable Domains252,236 live websites (2.74% of WordPress install base)
Vulnerable Versions
  • from 3.7 before 3.7.33
  • from 3.8 before 3.8.33
  • from 3.9 before 3.9.31
  • from 4 before 4.0.30
  • from 4.1 before 4.1.30
  • from 4.2 before 4.2.27
  • from 4.3 before 4.3.23
  • from 4.4 before 4.4.22
  • from 4.5 before 4.5.21
  • from 4.6 before 4.6.18
  • from 4.7 before 4.7.17
  • from 4.8 before 4.8.13
  • from 4.9 before 4.9.14
  • from 5 before 5.0.9
  • from 5.1 before 5.1.5
  • from 5.2 before 5.2.6
  • from 5.3 before 5.3.3
  • from 5.4 before 5.4.1
Vulnerable Versions Count346 versions ( 37.16% of all versions)


Common Weakness Enumeration

CWE-707 Improper Neutralization



Details

  • Published - May 1, 2020
  • Updated - Aug 4, 2024

CVE-2020-11026 usage by Country

United States77,124 websites


Japan25,515 websites
Germany19,657 websites
Russia13,501 websites
France12,866 websites
Poland8,230 websites
GB7,695 websites
Netherlands6,876 websites
Italy6,395 websites
Canada6,190 websites

CVE-2020-11026 usage by TLD

.com103,081 websites
.ru13,431 websites
.org11,344 websites
.de9,491 websites
.net9,147 websites
.pl6,446 websites
.co.uk5,782 websites
.jp5,737 websites
.nl5,406 websites
.fr5,312 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2020-11026

Top websites that are affected by CVE-2020-11026. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
****.******.com Singapore***
*********.net United States***
****.org United States*,***
****************.com United States*,***
**********.com United States**,***
**********.name United States**,***
******.com United States**,***
********.com France**,***
*********.org **,***
*********.kz Kazakhstan**,***
See full domain list

FAQ

CVE-2020-11026 is Improper Neutralization in WordPress
A total of 252,236 websites have been identified as vulnerable to CVE-2020-11026, discovered through global website indexing conducted by WebTechSurvey.
WordPress is susceptible to CVE-2020-11026 vulnerability.
WordPress versions before 5.4.1 are vulnerable to CVE-2020-11026.
Version 5.4.1 of WordPress addresses the CVE-2020-11026 security vulnerability.