CVE-2020-11028

Unauthenticated disclosure of certain private posts in WordPress

In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

We have discovered 252,236 live websites that are affected by CVE-2020-11028.

Test my site



Affected Software

Product  WordPress
Category Content Management System
Vulnerable Domains252,236 live websites (2.74% of WordPress install base)
Vulnerable Versions
  • from 3.7 before 3.7.33
  • from 3.8 before 3.8.33
  • from 3.9 before 3.9.31
  • from 4 before 4.0.30
  • from 4.1 before 4.1.30
  • from 4.2 before 4.2.27
  • from 4.3 before 4.3.23
  • from 4.4 before 4.4.22
  • from 4.5 before 4.5.21
  • from 4.6 before 4.6.18
  • from 4.7 before 4.7.17
  • from 4.8 before 4.8.13
  • from 4.9 before 4.9.14
  • from 5 before 5.0.9
  • from 5.1 before 5.1.5
  • from 5.2 before 5.2.6
  • from 5.3 before 5.3.3
  • from 5.4 before 5.4.1
Vulnerable Versions Count346 versions ( 37.16% of all versions)


Common Weakness Enumeration

CWE-284 Improper Access Control



Details

  • Published - May 1, 2020
  • Updated - Aug 4, 2024

CVE-2020-11028 usage by Country

United States77,124 websites


Japan25,515 websites
Germany19,657 websites
Russia13,501 websites
France12,866 websites
Poland8,230 websites
GB7,695 websites
Netherlands6,876 websites
Italy6,395 websites
Canada6,190 websites

CVE-2020-11028 usage by TLD

.com103,081 websites
.ru13,431 websites
.org11,344 websites
.de9,491 websites
.net9,147 websites
.pl6,446 websites
.co.uk5,782 websites
.jp5,737 websites
.nl5,406 websites
.fr5,312 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2020-11028

Top websites that are affected by CVE-2020-11028. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
****.******.com Singapore***
*********.net United States***
****.org United States*,***
****************.com United States*,***
**********.com United States**,***
**********.name United States**,***
******.com United States**,***
********.com France**,***
*********.org **,***
*********.kz Kazakhstan**,***
See full domain list

FAQ

CVE-2020-11028 is Improper Access Control in WordPress
A total of 252,236 websites have been identified as vulnerable to CVE-2020-11028, discovered through global website indexing conducted by WebTechSurvey.
WordPress is susceptible to CVE-2020-11028 vulnerability.
WordPress versions before 5.4.1 are vulnerable to CVE-2020-11028.
Version 5.4.1 of WordPress addresses the CVE-2020-11028 security vulnerability.