CVE-2020-11025 MEDIUM

CVE-2020-11025: Authenticated cross-site scripting (XSS) in WordPress Customizer

Vendor Wordpress
Product WordPress
Weakness CWE-79 · XSS
Published April 30, 2020
Last update August 4, 2024
View on NVD All CVEs

CVSS base score

5.8/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Key dates

02Disclosure timeline

April 30, 2020 CVE published
August 4, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-41430 Press vulnerable to reflected XSS on login redirection CVE-2026-1666 Download Manager <= 3.3.46 - Reflected Cross-Site Scripting via 'redirect_to' Parameter CVE-2025-7726 The7 <= 12.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via title and data-dt-img-description Attributes CVE-2025-68512 WordPress Real 3D FlipBook plugin <= 4.11.4 - Cross Site Scripting (XSS) vulnerability CVE-2024-32543 WordPress MJ Update History plugin <= 1.0.4 - Reflected Cross Site Scripting (XSS) vulnerability