Login Sign Up

CVE-2020-28032

9.8 CRITICAL
Remote Code Execution Deserialization

📋 TL;DR

CVE-2020-28032 is a critical deserialization vulnerability in WordPress that allows remote code execution. It affects WordPress sites before version 5.5.2 by exploiting improper handling of serialized data in the FilteredIterator utility. Any WordPress site running vulnerable versions is at risk of complete compromise.

💻 Affected Systems

Products:
  • WordPress
Versions: All versions before 5.5.2
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations before 5.5.2 are vulnerable regardless of plugins or themes installed.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains full control of the WordPress server, executes arbitrary code, installs malware, steals data, and pivots to other systems.

🟠

Likely Case

Attackers exploit the vulnerability to install backdoors, deface websites, steal sensitive data, or use the server for cryptocurrency mining or DDoS attacks.

🟢

If Mitigated

With proper network segmentation and minimal privileges, impact is limited to the WordPress application layer, preventing lateral movement to other systems.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, making them directly accessible to attackers worldwide.
🏢 Internal Only: MEDIUM - Internal WordPress sites are still vulnerable but have reduced attack surface compared to internet-facing instances.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploits are publicly available and require no authentication, making this easily weaponizable by attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: WordPress 5.5.2 and later

Vendor Advisory: https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/

Restart Required: No

Instructions:

1. Backup your WordPress site and database. 2. Update WordPress to version 5.5.2 or later via the admin dashboard (Dashboard → Updates). 3. Verify the update completed successfully. 4. Clear any caching plugins or CDN caches.

🔧 Temporary Workarounds

Disable XML-RPC

all

Temporarily disable XML-RPC functionality which may be used in exploitation chains

Add to wp-config.php: add_filter('xmlrpc_enabled', '__return_false');

Web Application Firewall Rule

all

Block requests containing serialized PHP object patterns

WAF specific - create rule to block requests with patterns like O:[0-9]+:"\w+":
ModSecurity rule: SecRule ARGS "@rx O:[0-9]+:\"\\w+\":" "id:1001,phase:2,deny"

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate WordPress from critical systems
  • Deploy a web application firewall with rules to detect and block deserialization attacks

🔍 How to Verify

Check if Vulnerable:

Check WordPress version in admin dashboard (Dashboard → Updates) or examine wp-includes/version.php file for version number

Check Version:

grep '\$wp_version' wp-includes/version.php

Verify Fix Applied:

Confirm WordPress version is 5.5.2 or higher and check that the FilteredIterator.php file contains the security patch from the GitHub commit

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to XML-RPC endpoints
  • Requests containing serialized object patterns (O:8:"stdClass":)
  • Sudden appearance of new admin users or plugins
  • Unexpected file writes in wp-content/uploads

Network Indicators:

  • HTTP requests with unusual Content-Type headers
  • Multiple rapid requests to wp-admin or xmlrpc.php
  • Outbound connections to suspicious IPs from WordPress server

SIEM Query:

source="wordpress.log" AND ("xmlrpc.php" OR "serialize" OR "O:" OR "unserialize")

📊 Metadata

CVE ID: CVE-2020-28032
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: November 2, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28032, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)