CVE-2020-11026

Specially crafted filenames in WordPress leading to XSS

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

We have discovered 196,873 live websites that are affected by CVE-2020-11026.

Run a Free Instant Scan



Affected Software

Product  WordPress
Category Content Management System
Vulnerable Domains196,873 live websites (2.43% of WordPress install base)
Vulnerable Versions
  • from 3.7 through 3.7.33
  • from 3.8 through 3.8.33
  • from 3.9 through 3.9.31
  • from 4 through 4.0.30
  • from 4.1 through 4.1.30
  • from 4.2 through 4.2.27
  • from 4.3 through 4.3.23
  • from 4.4 through 4.4.22
  • from 4.5 through 4.5.21
  • from 4.6 through 4.6.18
  • from 4.7 through 4.7.17
  • from 4.8 through 4.8.13
  • from 4.9 through 4.9.14
  • from 5 through 5.0.9
  • from 5.1 through 5.1.5
  • from 5.2 through 5.2.6
  • from 5.3 through 5.3.3
  • from 5.4 through 5.4.1
Vulnerable Versions Count238 versions ( 36% of all versions)


Common Weakness Enumeration

CWE-707 Improper Neutralization



Details

  • Published - May 1, 2020
  • Updated - Aug 4, 2024

Website Distribution by Country

Number of websites using CVE-2020-11026
United States52,610 websites


Japan19,421 websites
Germany13,707 websites
Russia12,576 websites
Italy8,973 websites
France8,752 websites
GB6,551 websites
Poland6,204 websites
Netherlands5,249 websites
Sweden4,936 websites

Website Distribution by TLD

Number of websites using CVE-2020-11026
.com79,037 websites
.ru10,719 websites
.org9,419 websites
.de7,440 websites
.net7,061 websites
.it6,086 websites
.pl4,645 websites
.jp4,638 websites
.co.uk4,250 websites
.nl4,089 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2020-11026

Top websites that are affected by CVE-2020-11026. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
*********.net United States***
****.org United States*,***
******.******.one Turkey*,***
********************.com Cyprus*,***
****************.com United States*,***
**********.com United States**,***
**********.name United States**,***
******.com United States**,***
********.com France**,***
*************.de Sweden**,***
See full domain list

FAQ

CVE-2020-11026 is Improper Neutralization in WordPress
A total of 196,873 websites have been identified as vulnerable to CVE-2020-11026, based on global website indexing conducted by WebTechSurvey.
The WordPress is affected by the CVE-2020-11026 vulnerability.
WordPress versions up to 5.4.1 are vulnerable to CVE-2020-11026.
CVE-2020-11026 is resolved in version 5.4.1 of WordPress.