{"id":"CVE-2020-4049","details":"In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).","aliases":["BIT-wordpress-2020-4049","BIT-wordpress-multisite-2020-4049"],"modified":"2026-04-11T12:34:51.217968Z","published":"2020-06-12T16:15:10.700Z","related":["GHSA-87h4-phjv-rm6p"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"10.0"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"8.0"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"9.0"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"31"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"32"}]}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/"},{"type":"ADVISORY","url":"https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-87h4-phjv-rm6p"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00000.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/09/msg00011.html"},{"type":"ADVISORY","url":"https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4709"},{"type":"FIX","url":"https://github.com/WordPress/wordpress-develop/commit/404f397b4012fd9d382e55bf7d206c1317f01148"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"3921fd373acaeeeee2029f762b676075cf375b33"},{"fixed":"6a7a8a0d2daab6a40cc84e431a726d730d2bde39"},{"introduced":"36470a480cac07d34a355e9f8a9409c1349b6e07"},{"fixed":"b29e8559570e2ee5901242ea6ee5270cfc12eaf9"},{"introduced":"54a3b49fa91b7beeb3da2f448154f9e75f005a9a"},{"fixed":"39aaf4a53b2c58e0c15133c07eed926011bb8830"},{"introduced":"842221094a5011886291b21fd7c705835d69e0bc"},{"fixed":"737cceb8d2ce546c2470be162c7f09a559a5aa69"},{"introduced":"e5e791f331d371ad6262c1893d84f5f2b6c26464"},{"fixed":"ff8c9a02f58af3ef7b599d22a769ed50af9975f5"},{"introduced":"87bf150016e042bc3e21f2f1cb9de44042b8cdb1"},{"fixed":"909db56833d2cdaa84008c08c70ccbf8d443f15e"},{"introduced":"b57f3aa5f00a127f209eff74b78787dd3fd5ed4d"},{"fixed":"1681d8156e716aad9811d4a6a7b1a371913575c4"},{"introduced":"f6a29831c76d2dbe82e9ae673539f910654c58a4"},{"fixed":"049c6e0636b6712d1bfe6fb736956897e0518420"},{"introduced":"e3aafee3f2bc07e09bf79389f20ea3db731466c3"},{"fixed":"2aec937d151925d6b6f8930557025ea70dd585c2"},{"introduced":"fe47e6139dbfc0f0c9ce0d79da77926b5fceaa77"},{"fixed":"7a8356c9b0707fbcbcacb09727dbd608557599dd"},{"introduced":"14247ee4302378d292863865c643abe99bbfe3c7"},{"fixed":"a2209a9fc18f6e1da8a2cd74257f9af75357783d"},{"introduced":"06fa4161aa74619239cf27017d124081c825684a"},{"fixed":"10cc339ba838338b763afd4076397088a51d0249"},{"introduced":"29ffbff370968ae48a1b7a34e35c8b8e75cf0f91"},{"fixed":"4e31f50cf81a8660bb16b78d6da2072844617b92"},{"introduced":"491c67be12ca8a9fe37ae38307ba7e298c976ec3"},{"fixed":"1e0bab9050df62437db599a0811018288fc574c8"},{"introduced":"c33464a4554cff8a082bc353d9226d8104b80d2b"},{"fixed":"fd98e9df6fa7f939665764a92c9c5b882f81e0ad"},{"introduced":"6fe64752be3260f2a47f38e68c2cb77400e5a0c9"},{"fixed":"eed2a4d4ba8624199bccbcba795d63cc9a308658"},{"introduced":"0"},{"fixed":"32d1a07d28428b3bf3c82b646c689a6376bf0d97"},{"introduced":"9ff4499281663b0c772787fd4a60538288f842e9"},{"fixed":"9da0a44b3e70117089257777cc38a3305a6c6c77"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"3.7"},{"fixed":"3.7.34"},{"introduced":"3.8"},{"fixed":"3.8.34"},{"introduced":"3.9"},{"fixed":"3.9.32"},{"introduced":"4.0"},{"fixed":"4.0.31"},{"introduced":"4.1"},{"fixed":"4.1.31"},{"introduced":"4.2"},{"fixed":"4.2.28"},{"introduced":"4.3"},{"fixed":"4.3.24"},{"introduced":"4.4"},{"fixed":"4.4.23"},{"introduced":"4.5"},{"fixed":"4.5.22"},{"introduced":"4.6"},{"fixed":"4.6.19"},{"introduced":"4.7"},{"fixed":"4.7.18"},{"introduced":"4.8"},{"fixed":"4.8.14"},{"introduced":"4.9"},{"fixed":"4.9.15"},{"introduced":"5.0"},{"fixed":"5.0.10"},{"introduced":"5.1"},{"fixed":"5.1.6"},{"introduced":"5.2"},{"fixed":"5.2.7"},{"introduced":"5.3.0"},{"fixed":"5.3.4"},{"introduced":"5.4"},{"fixed":"5.4.2"}]}}],"versions":["4.9.8"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-4049.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress-develop","events":[{"introduced":"0"},{"fixed":"404f397b4012fd9d382e55bf7d206c1317f01148"}],"database_specific":{"source":"REFERENCES"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-4049.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N"}]}