{"id":"CVE-2020-11026","details":"In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).","aliases":["BIT-wordpress-2020-11026","BIT-wordpress-multisite-2020-11026"],"modified":"2026-04-10T04:21:41.376425Z","published":"2020-04-30T23:15:11.510Z","related":["GHSA-3gw2-4656-pfr2"],"references":[{"type":"ADVISORY","url":"https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4677"},{"type":"ADVISORY","url":"https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"3921fd373acaeeeee2029f762b676075cf375b33"},{"fixed":"5f0bf1caedc7a0f6f355ec848a3727b410943430"},{"introduced":"36470a480cac07d34a355e9f8a9409c1349b6e07"},{"fixed":"a8e1a81a4a6e3bbd3f365d2097613760a6c65376"},{"introduced":"54a3b49fa91b7beeb3da2f448154f9e75f005a9a"},{"fixed":"1a119122d514818e7383b3521ad6aef4b9d90f30"},{"introduced":"842221094a5011886291b21fd7c705835d69e0bc"},{"fixed":"7a45cb2c3af33300501e5c87def89b7607e173cb"},{"introduced":"e5e791f331d371ad6262c1893d84f5f2b6c26464"},{"fixed":"641b0fea4e35a51ffbcc7ceab5780f0fd2e372fe"},{"introduced":"87bf150016e042bc3e21f2f1cb9de44042b8cdb1"},{"fixed":"022ab492e2901ffd11024b7bfc0db743db2b507f"},{"introduced":"b57f3aa5f00a127f209eff74b78787dd3fd5ed4d"},{"fixed":"e13d8405b4f56838140ed73e52032c3c08a983d4"},{"introduced":"f6a29831c76d2dbe82e9ae673539f910654c58a4"},{"fixed":"72f2d37159b724913cfb1c248b8dd2b88ed33ff2"},{"introduced":"e3aafee3f2bc07e09bf79389f20ea3db731466c3"},{"fixed":"ebe83073ffd7954380a37831defa4661d030a7ec"},{"introduced":"fe47e6139dbfc0f0c9ce0d79da77926b5fceaa77"},{"fixed":"f4f41452e0a791ee79ec820070998914fb221586"},{"introduced":"14247ee4302378d292863865c643abe99bbfe3c7"},{"fixed":"f889561be6949a918595723b2c55a6581cd88749"},{"introduced":"06fa4161aa74619239cf27017d124081c825684a"},{"fixed":"9725451e67ed65e76fc43d3dbb5885753c3eb53e"},{"introduced":"29ffbff370968ae48a1b7a34e35c8b8e75cf0f91"},{"fixed":"5c99450be128d698c75b81f77b1ac583ebcd308b"},{"introduced":"491c67be12ca8a9fe37ae38307ba7e298c976ec3"},{"fixed":"400bd2c1e504ad2b90c40f834be6a409b5d1d28e"},{"introduced":"c33464a4554cff8a082bc353d9226d8104b80d2b"},{"fixed":"6b364bc2314f22ed3c73932949b8e52ef9b21578"},{"introduced":"6fe64752be3260f2a47f38e68c2cb77400e5a0c9"},{"fixed":"023c7cba733f1237a3fd5b8c001ccc17e54a7d9f"},{"introduced":"50dc0ca5bb332c895f0f39fe4e6ee1e4a43e06dc"},{"fixed":"055731393c341ac801f3b3bced6bf33d46e40107"},{"introduced":"0"},{"last_affected":"9ff4499281663b0c772787fd4a60538288f842e9"}],"database_specific":{"versions":[{"introduced":"3.7"},{"fixed":"3.7.33"},{"introduced":"3.8"},{"fixed":"3.8.33"},{"introduced":"3.9"},{"fixed":"3.9.31"},{"introduced":"4.0"},{"fixed":"4.0.30"},{"introduced":"4.1"},{"fixed":"4.1.30"},{"introduced":"4.2"},{"fixed":"4.2.27"},{"introduced":"4.3"},{"fixed":"4.3.23"},{"introduced":"4.4"},{"fixed":"4.4.22"},{"introduced":"4.5"},{"fixed":"4.5.21"},{"introduced":"4.6"},{"fixed":"4.6.18"},{"introduced":"4.7"},{"fixed":"4.7.17"},{"introduced":"4.8"},{"fixed":"4.8.13"},{"introduced":"4.9"},{"fixed":"4.9.14"},{"introduced":"5.0"},{"fixed":"5.0.9"},{"introduced":"5.1"},{"fixed":"5.1.5"},{"introduced":"5.2"},{"fixed":"5.2.6"},{"introduced":"5.3"},{"fixed":"5.3.3"},{"introduced":"0"},{"last_affected":"5.4"}]}}],"versions":["4.9.8","5.4"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11026.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}