Login Sign Up

CVE-2020-28039

9.1 CRITICAL

📋 TL;DR

This vulnerability in WordPress allows authenticated users with author-level permissions to delete arbitrary files on the server due to improper validation of protected meta keys. It affects all WordPress installations before version 5.5.2. Attackers can leverage this to delete critical system files, potentially causing denial of service or complete system compromise.

💻 Affected Systems

Products:
  • WordPress
Versions: All versions before 5.5.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user with at least author-level permissions (edit_posts capability).

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, leading to data loss, service disruption, and potential privilege escalation.

🟠

Likely Case

Unauthorized file deletion leading to website defacement, data loss, or denial of service by deleting WordPress core files.

🟢

If Mitigated

Limited impact if proper file permissions and access controls are in place, though authenticated users could still delete some files.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.5.2 and later

Vendor Advisory: https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/

Restart Required: No

Instructions:

1. Backup your WordPress site. 2. Update WordPress to version 5.5.2 or later via Dashboard > Updates. 3. Verify update completed successfully. 4. Test site functionality.

🔧 Temporary Workarounds

Restrict User Permissions

all

Limit author-level permissions to trusted users only and review all user accounts.

File Permission Hardening

linux

Set strict file permissions on critical WordPress directories and system files.

chmod 644 wp-config.php
chmod 755 wp-content
chmod 755 wp-includes

🧯 If You Can't Patch

  • Implement strict access controls and monitor for suspicious file deletion activities.
  • Deploy web application firewall (WAF) rules to detect and block file deletion attempts.

🔍 How to Verify

Check if Vulnerable:

Check WordPress version in Dashboard > Updates or examine wp-includes/version.php file.

Check Version:

grep '\$wp_version' wp-includes/version.php

Verify Fix Applied:

Confirm WordPress version is 5.5.2 or higher and test that authenticated users cannot delete arbitrary files.

📡 Detection & Monitoring

Log Indicators:

  • Multiple file deletion attempts in WordPress logs
  • Unauthorized wp_delete_attachment or delete_post calls

Network Indicators:

  • POST requests to wp-admin/admin-ajax.php with delete_file parameters

SIEM Query:

source="wordpress.log" AND (action="delete" OR method="DELETE") AND user_level="author"

📊 Metadata

CVE ID: CVE-2020-28039
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Published: November 2, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON