Login Sign Up

CVE-2020-28035

9.8 CRITICAL

📋 TL;DR

CVE-2020-28035 is a privilege escalation vulnerability in WordPress that allows attackers to gain administrative access via XML-RPC. This affects WordPress installations before version 5.5.2. Any WordPress site with XML-RPC enabled is vulnerable to attackers taking full control.

💻 Affected Systems

Products:
  • WordPress
Versions: All versions before 5.5.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: XML-RPC is enabled by default in WordPress installations. The vulnerability affects the core WordPress software regardless of plugins or themes.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative control over the WordPress site, allowing them to deface content, install backdoors, steal data, or use the site for further attacks.

🟠

Likely Case

Attackers escalate privileges to administrator level, enabling them to modify content, install malicious plugins/themes, or create new admin accounts.

🟢

If Mitigated

With proper controls like disabling XML-RPC or implementing strong access controls, impact is limited to potential denial of service or information disclosure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires some level of access (typically subscriber or higher) to trigger the privilege escalation via XML-RPC. The vulnerability is in the XML-RPC authentication mechanism.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: WordPress 5.5.2 and later

Vendor Advisory: https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/

Restart Required: No

Instructions:

1. Backup your WordPress site and database. 2. Update WordPress to version 5.5.2 or later via the WordPress admin dashboard (Dashboard → Updates). 3. Verify the update completed successfully. 4. Clear any caching plugins or CDN caches.

🔧 Temporary Workarounds

Disable XML-RPC

all

Completely disable XML-RPC functionality if not needed for your site operations

Add to .htaccess: <Files xmlrpc.php> order deny,allow deny from all </Files>
Add to functions.php: add_filter('xmlrpc_enabled', '__return_false');

Restrict XML-RPC Access

linux

Limit XML-RPC access to specific IP addresses if needed for functionality

Add to .htaccess: <Files xmlrpc.php> order deny,allow deny from all allow from 192.168.1.0/24 </Files>

🧯 If You Can't Patch

  • Disable XML-RPC completely using .htaccess or plugin methods
  • Implement strict network access controls to limit XML-RPC exposure

🔍 How to Verify

Check if Vulnerable:

Check WordPress version in admin dashboard or via wp-includes/version.php. If version is below 5.5.2, the site is vulnerable.

Check Version:

grep '\$wp_version' wp-includes/version.php

Verify Fix Applied:

Verify WordPress version is 5.5.2 or higher. Test XML-RPC functionality if required for your site.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed XML-RPC authentication attempts
  • Successful XML-RPC login from unusual IP addresses
  • User privilege changes via XML-RPC

Network Indicators:

  • XML-RPC POST requests to /xmlrpc.php with authentication attempts
  • Unusual XML-RPC traffic patterns

SIEM Query:

source="web_server" AND (uri_path="/xmlrpc.php" OR method="POST" AND user_agent="WordPress/*")

📊 Metadata

CVE ID: CVE-2020-28035
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: November 2, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON