{"id":"CVE-2020-4048","details":"In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).","aliases":["BIT-wordpress-2020-4048","BIT-wordpress-multisite-2020-4048"],"modified":"2026-03-20T11:37:50.813950Z","published":"2020-06-12T16:15:10.623Z","related":["GHSA-q6pw-gvf4-5fj5"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/"},{"type":"ADVISORY","url":"https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-q6pw-gvf4-5fj5"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00000.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/09/msg00011.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4709"},{"type":"ADVISORY","url":"https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/"},{"type":"FIX","url":"https://github.com/WordPress/wordpress-develop/commit/6ef777e9a022bee2a80fa671118e7e2657e52693"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"3921fd373acaeeeee2029f762b676075cf375b33"},{"fixed":"6a7a8a0d2daab6a40cc84e431a726d730d2bde39"},{"introduced":"36470a480cac07d34a355e9f8a9409c1349b6e07"},{"fixed":"b29e8559570e2ee5901242ea6ee5270cfc12eaf9"},{"introduced":"54a3b49fa91b7beeb3da2f448154f9e75f005a9a"},{"fixed":"39aaf4a53b2c58e0c15133c07eed926011bb8830"},{"introduced":"842221094a5011886291b21fd7c705835d69e0bc"},{"fixed":"737cceb8d2ce546c2470be162c7f09a559a5aa69"},{"introduced":"e5e791f331d371ad6262c1893d84f5f2b6c26464"},{"fixed":"ff8c9a02f58af3ef7b599d22a769ed50af9975f5"},{"introduced":"87bf150016e042bc3e21f2f1cb9de44042b8cdb1"},{"fixed":"909db56833d2cdaa84008c08c70ccbf8d443f15e"},{"introduced":"b57f3aa5f00a127f209eff74b78787dd3fd5ed4d"},{"fixed":"1681d8156e716aad9811d4a6a7b1a371913575c4"},{"introduced":"f6a29831c76d2dbe82e9ae673539f910654c58a4"},{"fixed":"049c6e0636b6712d1bfe6fb736956897e0518420"},{"introduced":"e3aafee3f2bc07e09bf79389f20ea3db731466c3"},{"fixed":"2aec937d151925d6b6f8930557025ea70dd585c2"},{"introduced":"fe47e6139dbfc0f0c9ce0d79da77926b5fceaa77"},{"fixed":"7a8356c9b0707fbcbcacb09727dbd608557599dd"},{"introduced":"14247ee4302378d292863865c643abe99bbfe3c7"},{"fixed":"a2209a9fc18f6e1da8a2cd74257f9af75357783d"},{"introduced":"06fa4161aa74619239cf27017d124081c825684a"},{"fixed":"10cc339ba838338b763afd4076397088a51d0249"},{"introduced":"29ffbff370968ae48a1b7a34e35c8b8e75cf0f91"},{"fixed":"4e31f50cf81a8660bb16b78d6da2072844617b92"},{"introduced":"491c67be12ca8a9fe37ae38307ba7e298c976ec3"},{"fixed":"1e0bab9050df62437db599a0811018288fc574c8"},{"introduced":"c33464a4554cff8a082bc353d9226d8104b80d2b"},{"fixed":"fd98e9df6fa7f939665764a92c9c5b882f81e0ad"},{"introduced":"6fe64752be3260f2a47f38e68c2cb77400e5a0c9"},{"fixed":"eed2a4d4ba8624199bccbcba795d63cc9a308658"},{"introduced":"0"},{"fixed":"32d1a07d28428b3bf3c82b646c689a6376bf0d97"},{"introduced":"9ff4499281663b0c772787fd4a60538288f842e9"},{"fixed":"9da0a44b3e70117089257777cc38a3305a6c6c77"}],"database_specific":{"versions":[{"introduced":"3.7"},{"fixed":"3.7.34"},{"introduced":"3.8"},{"fixed":"3.8.34"},{"introduced":"3.9"},{"fixed":"3.9.32"},{"introduced":"4.0"},{"fixed":"4.0.31"},{"introduced":"4.1"},{"fixed":"4.1.31"},{"introduced":"4.2"},{"fixed":"4.2.28"},{"introduced":"4.3"},{"fixed":"4.3.24"},{"introduced":"4.4"},{"fixed":"4.4.23"},{"introduced":"4.5"},{"fixed":"4.5.22"},{"introduced":"4.6"},{"fixed":"4.6.19"},{"introduced":"4.7"},{"fixed":"4.7.18"},{"introduced":"4.8"},{"fixed":"4.8.14"},{"introduced":"4.9"},{"fixed":"4.9.15"},{"introduced":"5.0"},{"fixed":"5.0.10"},{"introduced":"5.1"},{"fixed":"5.1.6"},{"introduced":"5.2"},{"fixed":"5.2.7"},{"introduced":"5.3.0"},{"fixed":"5.3.4"},{"introduced":"5.4"},{"fixed":"5.4.2"}]}},{"type":"GIT","repo":"https://github.com/wordpress/wordpress-develop","events":[{"introduced":"0"},{"fixed":"6ef777e9a022bee2a80fa671118e7e2657e52693"}]}],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"32"}]},{"events":[{"introduced":"0"},{"last_affected":"33"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-4048.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"}]}