CVE-2020-28037

Name
CVE-2020-28037
Description
is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Patch https://github.com/WordPress/wordpress-develop/commit/2ca15d1e5ce70493c5c0c096ca0c76503d6da07c
Release Notes https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
Third Party Advisory https://wpscan.com/vulnerability/10450
Third Party Advisory https://lists.debian.org/debian-lts-announce/2020/11/msg00004.html
DEBIAN https://www.debian.org/security/2020/dsa-4784
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHVNK2WYAM3ZTCXTFSEIT56IKLVJHU3/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUXVUAKL2HL4QYJEPHBNVQQWRMFMII2Y/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VAVVYJKA2I6CRQUINECDPBGWMQDEG244/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* wordpress >= None < 5.5.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status