CVE-2020-4047
Authenticated XSS via media attachment page in WordPressIn affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
We have discovered 219,874 live websites that are affected by CVE-2020-4047.
Affected Software
| Product |  WordPress |
| Category | Content Management System |
| Vulnerable Domains | 219,874 live websites (2.53% of WordPress install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 254 versions ( 38% of all versions) |
Common Weakness Enumeration
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)Details
- Published - Jun 12, 2020
- Updated - Aug 4, 2024
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2020-4047 United States | 57,392 websites |
 Japan | 23,636 websites |
 Germany | 15,197 websites |
 Russia | 13,684 websites |
 Italy | 9,816 websites |
 France | 9,636 websites |
 GB | 7,500 websites |
 Poland | 6,954 websites |
 Netherlands | 5,835 websites |
 Canada | 5,481 websites |
Website Distribution by TLD
Number of websites using CVE-2020-4047| .com | 88,940 websites |
| .ru | 11,662 websites |
| .org | 9,993 websites |
| .de | 8,111 websites |
| .net | 8,095 websites |
| .it | 6,669 websites |
| .jp | 5,467 websites |
| .pl | 5,216 websites |
| .co.uk | 4,826 websites |
| .nl | 4,511 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2020-4047
Top websites that are affected by CVE-2020-4047. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.net | United States | *** | |
| ****.org | United States | *,*** | |
| ******.******.one |  Turkey | *,*** | |
| ****************.com | United States | *,*** | |
| **********.com | United States | **,*** | |
| **********.name | United States | **,*** | |
| *********.net |  Singapore | **,*** | |
| ********.com | France | **,*** | |
| *************.de |  Sweden | **,*** | |
| *************.***.au |  Australia | **,*** |
FAQ
CVE-2020-4047 is Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in WordPress
A total of 219,874 websites have been identified as vulnerable to CVE-2020-4047, based on global website indexing conducted by WebTechSurvey.
The WordPress is affected by the CVE-2020-4047 vulnerability.
WordPress versions up to 5.4.2 are vulnerable to CVE-2020-4047.
CVE-2020-4047 is resolved in version 5.4.2 of WordPress.
References
- https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-8q2w-5m27-wm27
- https://github.com/WordPress/wordpress-develop/commit/0977c0d6b241479ecedfe19e96be69f727c3f81f
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/
- https://www.debian.org/security/2020/dsa-4709
- https://lists.debian.org/debian-lts-announce/2020/07/msg00000.html
- https://lists.debian.org/debian-lts-announce/2020/09/msg00011.html