{"id":"CVE-2020-4048","details":"In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).","aliases":["BIT-wordpress-2020-4048","BIT-wordpress-multisite-2020-4048","GHSA-q6pw-gvf4-5fj5"],"modified":"2026-05-18T05:51:11.541635341Z","published":"2020-06-12T16:15:10.623Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"8.0"},{"last_affected":"9.0"},{"last_affected":"10.0"}],"cpes":["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"vendor_product":"debian:debian_linux","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"32"},{"last_affected":"33"}],"vendor_product":"fedoraproject:fedora","source":"CPE_FIELD","cpes":["cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"]}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/"},{"type":"ADVISORY","url":"https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-q6pw-gvf4-5fj5"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00000.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/09/msg00011.html"},{"type":"ADVISORY","url":"https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4709"},{"type":"FIX","url":"https://github.com/WordPress/wordpress-develop/commit/6ef777e9a022bee2a80fa671118e7e2657e52693"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"3921fd373acaeeeee2029f762b676075cf375b33"},{"fixed":"6a7a8a0d2daab6a40cc84e431a726d730d2bde39"},{"introduced":"36470a480cac07d34a355e9f8a9409c1349b6e07"},{"fixed":"b29e8559570e2ee5901242ea6ee5270cfc12eaf9"},{"introduced":"54a3b49fa91b7beeb3da2f448154f9e75f005a9a"},{"fixed":"39aaf4a53b2c58e0c15133c07eed926011bb8830"},{"introduced":"842221094a5011886291b21fd7c705835d69e0bc"},{"fixed":"737cceb8d2ce546c2470be162c7f09a559a5aa69"},{"introduced":"e5e791f331d371ad6262c1893d84f5f2b6c26464"},{"fixed":"ff8c9a02f58af3ef7b599d22a769ed50af9975f5"},{"introduced":"87bf150016e042bc3e21f2f1cb9de44042b8cdb1"},{"fixed":"909db56833d2cdaa84008c08c70ccbf8d443f15e"},{"introduced":"b57f3aa5f00a127f209eff74b78787dd3fd5ed4d"},{"fixed":"1681d8156e716aad9811d4a6a7b1a371913575c4"},{"introduced":"f6a29831c76d2dbe82e9ae673539f910654c58a4"},{"fixed":"049c6e0636b6712d1bfe6fb736956897e0518420"},{"introduced":"e3aafee3f2bc07e09bf79389f20ea3db731466c3"},{"fixed":"2aec937d151925d6b6f8930557025ea70dd585c2"},{"introduced":"fe47e6139dbfc0f0c9ce0d79da77926b5fceaa77"},{"fixed":"7a8356c9b0707fbcbcacb09727dbd608557599dd"},{"introduced":"14247ee4302378d292863865c643abe99bbfe3c7"},{"fixed":"a2209a9fc18f6e1da8a2cd74257f9af75357783d"},{"introduced":"06fa4161aa74619239cf27017d124081c825684a"},{"fixed":"10cc339ba838338b763afd4076397088a51d0249"},{"introduced":"29ffbff370968ae48a1b7a34e35c8b8e75cf0f91"},{"fixed":"4e31f50cf81a8660bb16b78d6da2072844617b92"},{"introduced":"491c67be12ca8a9fe37ae38307ba7e298c976ec3"},{"fixed":"1e0bab9050df62437db599a0811018288fc574c8"},{"introduced":"c33464a4554cff8a082bc353d9226d8104b80d2b"},{"fixed":"fd98e9df6fa7f939665764a92c9c5b882f81e0ad"},{"introduced":"6fe64752be3260f2a47f38e68c2cb77400e5a0c9"},{"fixed":"eed2a4d4ba8624199bccbcba795d63cc9a308658"},{"introduced":"0"},{"fixed":"32d1a07d28428b3bf3c82b646c689a6376bf0d97"},{"introduced":"9ff4499281663b0c772787fd4a60538288f842e9"},{"fixed":"9da0a44b3e70117089257777cc38a3305a6c6c77"}],"database_specific":{"extracted_events":[{"introduced":"3.7"},{"fixed":"3.7.34"},{"introduced":"3.8"},{"fixed":"3.8.34"},{"introduced":"3.9"},{"fixed":"3.9.32"},{"introduced":"4.0"},{"fixed":"4.0.31"},{"introduced":"4.1"},{"fixed":"4.1.31"},{"introduced":"4.2"},{"fixed":"4.2.28"},{"introduced":"4.3"},{"fixed":"4.3.24"},{"introduced":"4.4"},{"fixed":"4.4.23"},{"introduced":"4.5"},{"fixed":"4.5.22"},{"introduced":"4.6"},{"fixed":"4.6.19"},{"introduced":"4.7"},{"fixed":"4.7.18"},{"introduced":"4.8"},{"fixed":"4.8.14"},{"introduced":"4.9"},{"fixed":"4.9.15"},{"introduced":"5.0"},{"fixed":"5.0.10"},{"introduced":"5.1"},{"fixed":"5.1.6"},{"introduced":"5.2"},{"fixed":"5.2.7"},{"introduced":"5.3.0"},{"fixed":"5.3.4"},{"introduced":"5.4"},{"fixed":"5.4.2"}],"cpe":"cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["4.9.8"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-4048.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress-develop","events":[{"introduced":"f1d358137f7ed657db6afec1b1eca0b9f7814e25"},{"fixed":"c07e9f03710f86e788bb0a49a7c3292e2d79a84b"},{"introduced":"36e5687edb263228eb912d542ebad988e0672beb"},{"fixed":"7d2f1d08c2ba4dccecd40172b726b5470f337755"},{"introduced":"c1b5c599c9d8d83ba3a1dcfe31570d1b0f6b4c3e"},{"fixed":"6910ad993aadcec814344c31cca9e803219f4286"},{"introduced":"a3a0dab49ed5b740b3f05e48b06b0b259641e2d0"},{"fixed":"6c59f0671b3c4ba6659fd7af896b9c61ef75a972"},{"introduced":"470529c2bf211450e91f01ceadaa9fc97a2b4031"},{"fixed":"d850384898170f2af7602021129d01b4442f42c0"},{"introduced":"7b07c0ccc7453ce057e009ffa65f12a02ce7d2ee"},{"fixed":"7a2874c8c4f698ce85d7a3206701d2acf5fa433c"},{"introduced":"ec8826ed50f8ce0eea39900eeeba09a9d621f00e"},{"fixed":"9082f7a4ca5c5e4774b206d5553df4d072bdfedd"},{"introduced":"b5f6ca5af6e29fe5df7a65d512b177fa465cfa2e"},{"fixed":"6367d87649ee986c4f02d455b83181d2776bf84d"},{"introduced":"7acf453090c10537e6f41fc4cf2608d7bbcce8ca"},{"fixed":"a5d9b9abcd63bd445bb5131c229c34a619939ff4"},{"introduced":"7c76a1b79e21176b176b5b6d6b03151f8eea4b55"},{"fixed":"9b031271e8c9692ccc354dfbd967a8702b63a79a"},{"introduced":"efa83f48bd4ebd066e5efc94b9feefe50e7925a2"},{"fixed":"85dc7fa04bd5a3d6055238fc99ac9cd4b97a357d"},{"introduced":"2ac9b801ef5c18accf223b093529dacfcf809133"},{"fixed":"7888e7c5317f6bf72b096d81b53268bca762b604"},{"introduced":"31f7ece8503f0dc6ef1df2473ae3f3d352973e12"},{"fixed":"7ce5e05e8f49c0c241b9c74b741f3dbe7b6dce8e"},{"introduced":"b3bf6266acd61682bc654845f621b4426645e324"},{"fixed":"2c0796a4ba0354514c95eb588e6b53e06aeab20e"},{"introduced":"5aa596fee9bf6ea7f0ccc2ed51b16c0f2f04076b"},{"fixed":"6e8baa358ac57a670e389123ddb6062f42ddc2e2"},{"introduced":"1cf3888655c0eb8b0b0539834ad67db5920190d7"},{"fixed":"c57e6ee4a77fb3113b88b7f13e443750e8715a9d"},{"introduced":"d05f0a86b23e37b9d97acd9317ff3fd661d64dea"},{"fixed":"c051f4d7bb12c001d6210a33b2e31c6cf770ee8e"},{"introduced":"e0bedd676512ace4c5586337c072037298315f79"},{"fixed":"addf14cf983bc57e12f8acdb76c33f501ea74fcc"},{"fixed":"6ef777e9a022bee2a80fa671118e7e2657e52693"}],"database_specific":{"extracted_events":[{"introduced":"3.7"},{"fixed":"3.7.34"},{"introduced":"3.8"},{"fixed":"3.8.34"},{"introduced":"3.9"},{"fixed":"3.9.32"},{"introduced":"4.0"},{"fixed":"4.0.31"},{"introduced":"4.1"},{"fixed":"4.1.31"},{"introduced":"4.2"},{"fixed":"4.2.28"},{"introduced":"4.3"},{"fixed":"4.3.24"},{"introduced":"4.4"},{"fixed":"4.4.23"},{"introduced":"4.5"},{"fixed":"4.5.22"},{"introduced":"4.6"},{"fixed":"4.6.19"},{"introduced":"4.7"},{"fixed":"4.7.18"},{"introduced":"4.8"},{"fixed":"4.8.14"},{"introduced":"4.9"},{"fixed":"4.9.15"},{"introduced":"5.0"},{"fixed":"5.0.10"},{"introduced":"5.1"},{"fixed":"5.1.6"},{"introduced":"5.2"},{"fixed":"5.2.7"},{"introduced":"5.3.0"},{"fixed":"5.3.4"},{"introduced":"5.4"},{"fixed":"5.4.2"}],"cpe":"cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*","source":["CPE_FIELD","REFERENCES"]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-4048.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"}]}