CVE-2020-4047 Overview
CVE-2020-4047 is a stored Cross-Site Scripting (XSS) vulnerability affecting WordPress that allows authenticated users with upload permissions to inject malicious JavaScript into media file attachment pages. When a higher privileged user (such as an administrator) views the affected media file, the injected script executes in their browser context, potentially enabling privilege escalation, session hijacking, or unauthorized administrative actions.
Critical Impact
Authenticated attackers with author-level privileges can escalate their access by targeting administrators through crafted media uploads, potentially compromising the entire WordPress installation.
Affected Products
- WordPress versions prior to 5.4.2 (and all legacy branches prior to their respective patched versions)
- Fedora Project Fedora 32 and 33
- Debian Linux 8.0, 9.0, and 10.0
Discovery Timeline
- June 12, 2020 - CVE-2020-4047 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-4047
Vulnerability Analysis
This vulnerability (CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page) exists in how WordPress handles media file attachment pages. Authenticated users with upload permissions, including those with the "Author" role, can inject JavaScript code that persists within the attachment page. The malicious payload remains stored in the database and executes whenever the compromised attachment page is viewed.
The attack requires user interaction—specifically, a higher-privileged user must view the affected media attachment page. When they do, the injected script executes within their authenticated browser session, inheriting their elevated privileges.
Root Cause
The root cause lies in insufficient sanitization and output encoding of user-controlled data associated with media file attachments. WordPress failed to properly neutralize script-related HTML tags before rendering them on attachment pages, allowing stored XSS payloads to persist and execute.
Attack Vector
The attack vector is network-based and requires a low-privileged authenticated session. An attacker with author-level credentials can upload a media file with specially crafted metadata or content that includes malicious JavaScript. The vulnerability specifically targets the media file attachment page rendering process.
The attack flow involves:
- An attacker authenticates as a user with upload permissions (Author role or higher)
- The attacker uploads a media file with embedded malicious JavaScript
- When an administrator or higher-privileged user views the attachment page, the script executes
- The script can perform actions as the victim user, including creating new admin accounts or modifying site content
The vulnerability manifests in how WordPress processes and displays media attachment metadata. For technical implementation details, refer to the GitHub Security Advisory and the security patch commit.
Detection Methods for CVE-2020-4047
Indicators of Compromise
- Unexpected JavaScript code present in media attachment page source code
- Suspicious user activity patterns showing author-level users accessing admin functions
- New administrator accounts created without authorized approval
- Modified site settings or content following media file uploads from non-admin users
Detection Strategies
- Monitor WordPress audit logs for unusual media upload patterns from author-level accounts
- Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution
- Review media library entries for suspicious attachment metadata or descriptions
- Deploy web application firewall (WAF) rules to detect XSS patterns in media uploads
Monitoring Recommendations
- Enable detailed logging for all media upload operations including user context
- Configure alerts for privilege escalation events or new admin account creation
- Regularly scan media attachment pages for embedded script content
- Monitor for changes to WordPress user roles and capabilities
How to Mitigate CVE-2020-4047
Immediate Actions Required
- Update WordPress to version 5.4.2 or the latest patched version for your branch immediately
- Review media library for any suspicious uploads from author-level users
- Audit user accounts for unauthorized privilege changes or new administrator accounts
- Consider temporarily restricting upload permissions to trusted users only
Patch Information
WordPress has released patches across all supported branches. Update to one of the following versions based on your current installation:
| Branch | Patched Version |
|---|---|
| 5.4.x | 5.4.2 |
| 5.3.x | 5.3.4 |
| 5.2.x | 5.2.7 |
| 5.1.x | 5.1.6 |
| 5.0.x | 5.0.10 |
| 4.9.x | 4.9.15 |
| 4.8.x | 4.8.14 |
| 4.7.x | 4.7.18 |
| Legacy (3.7-4.6) | See WordPress Security Release |
The fix is available in commit 0977c0d6b241479ecedfe19e96be69f727c3f81f.
Workarounds
- Restrict media upload capabilities to administrator-only until patching is complete
- Implement strict Content Security Policy headers to mitigate script execution
- Use a Web Application Firewall (WAF) with XSS detection rules
- Review and limit the number of users with upload permissions
# WordPress CLI update command
wp core update
# Verify WordPress version after update
wp core version
# List users with upload capabilities for audit
wp user list --role=author --format=table
wp user list --role=editor --format=table
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
