In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
| Link | Tags |
|---|---|
| https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates | release notes vendor advisory |
| https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2 | third party advisory |
| https://www.debian.org/security/2020/dsa-4677 | third party advisory vendor advisory |
| https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html | third party advisory mailing list |