8.1

CVE-2020-11027

In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Data is provided by the National Vulnerability Database (NVD)
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
DebianDebian Linux Version10.0
WordpressWordpress Version >= 3.7 < 3.7.33
WordpressWordpress Version >= 3.8 < 3.8.33
WordpressWordpress Version >= 3.9 < 3.9.31
WordpressWordpress Version >= 4.0 < 4.0.30
WordpressWordpress Version >= 4.1 < 4.1.30
WordpressWordpress Version >= 4.2 < 4.2.27
WordpressWordpress Version >= 4.3 < 4.3.23
WordpressWordpress Version >= 4.4 < 4.4.22
WordpressWordpress Version >= 4.5 < 4.5.21
WordpressWordpress Version >= 4.6 < 4.6.18
WordpressWordpress Version >= 4.7 < 4.7.17
WordpressWordpress Version >= 4.8 < 4.8.13
WordpressWordpress Version >= 4.9 < 4.9.14
WordpressWordpress Version >= 5.0 < 5.0.9
WordpressWordpress Version >= 5.1 < 5.1.5
WordpressWordpress Version >= 5.2 < 5.2.6
WordpressWordpress Version >= 5.3 < 5.3.3
WordpressWordpress Version5.4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 42.55% 0.974
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.1 2.8 5.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov 5.5 8 4.9
AV:N/AC:L/Au:S/C:P/I:P/A:N
security-advisories@github.com 6.1 1.6 4
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
CWE-640 Weak Password Recovery Mechanism for Forgotten Password

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

CWE-672 Operation on a Resource after Expiration or Release

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.