Login Sign Up

CVE-2020-28037

9.8 CRITICAL
Remote Code Execution Authentication Bypass Denial of Service

📋 TL;DR

This vulnerability in WordPress allows attackers to trigger a fresh installation on an already installed WordPress site, potentially leading to remote code execution and denial of service. It affects WordPress installations before version 5.5.2. The flaw exists in the is_blog_installed function which improperly determines installation status.

💻 Affected Systems

Products:
  • WordPress
Versions: All versions before 5.5.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations with default configuration are vulnerable if running affected versions.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains remote code execution on the server, potentially compromising the entire WordPress installation and underlying system.

🟠

Likely Case

Attacker resets WordPress installation, causing denial of service and potential data loss or unauthorized access.

🟢

If Mitigated

If proper access controls and monitoring are in place, the attack would be detected and blocked before successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to WordPress installation but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: WordPress 5.5.2 and later

Vendor Advisory: https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/

Restart Required: No

Instructions:

1. Backup WordPress site and database. 2. Update WordPress core to version 5.5.2 or later via WordPress admin dashboard or manual update. 3. Verify update completed successfully.

🔧 Temporary Workarounds

Restrict WordPress Installation Access

all

Block access to WordPress installation scripts via web server configuration

# For Apache: Add to .htaccess
RewriteRule ^wp-admin/install\.php$ - [F,L]
# For Nginx: Add to server block
location ~ ^/wp-admin/install\.php$ { return 403; }

🧯 If You Can't Patch

  • Implement strict network access controls to limit access to WordPress admin interface
  • Enable comprehensive logging and monitoring for installation attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress version in admin dashboard or wp-includes/version.php file. If version is below 5.5.2, system is vulnerable.

Check Version:

grep '\$wp_version' wp-includes/version.php

Verify Fix Applied:

Verify WordPress version is 5.5.2 or higher and test installation functionality is not accessible.

📡 Detection & Monitoring

Log Indicators:

  • Multiple requests to wp-admin/install.php
  • Database installation/creation attempts
  • Unexpected WordPress setup processes

Network Indicators:

  • HTTP requests to /wp-admin/install.php from unusual sources
  • Database connection attempts from web server

SIEM Query:

source="web_access_logs" AND (uri="/wp-admin/install.php" OR uri="/wp-admin/setup-config.php")

📊 Metadata

CVE ID: CVE-2020-28037
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-754
Published: November 2, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28037, you might also want to check these:

CVE-2026-24054 10.0

A vulnerability in Kata Containers allows malformed container images with no layers to cause the hos...

Same vulnerability type (CWE-754)
CVE-2021-0211 10.0

This vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows attackers to send specia...

Same vulnerability type (CWE-754)
CVE-2024-3729 9.8

This vulnerability in the Frontend Admin WordPress plugin allows unauthenticated attackers to manipu...

Same vulnerability type (CWE-754)