Search for vulnerabilities
Vulnerability details: VCID-cscg-s24f-tqhs
Vulnerability ID VCID-cscg-s24f-tqhs
Aliases CVE-2020-4047
Summary In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
Status Published
Exploitability 0.5
Weighted Severity 6.1
Risk 3.0
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.02606 https://api.first.org/data/v1/epss?cve=CVE-2020-4047
epss 0.02606 https://api.first.org/data/v1/epss?cve=CVE-2020-4047
epss 0.02606 https://api.first.org/data/v1/epss?cve=CVE-2020-4047
epss 0.02606 https://api.first.org/data/v1/epss?cve=CVE-2020-4047
epss 0.02606 https://api.first.org/data/v1/epss?cve=CVE-2020-4047
epss 0.02606 https://api.first.org/data/v1/epss?cve=CVE-2020-4047
epss 0.02606 https://api.first.org/data/v1/epss?cve=CVE-2020-4047
epss 0.02606 https://api.first.org/data/v1/epss?cve=CVE-2020-4047
epss 0.02606 https://api.first.org/data/v1/epss?cve=CVE-2020-4047
epss 0.02606 https://api.first.org/data/v1/epss?cve=CVE-2020-4047
epss 0.02606 https://api.first.org/data/v1/epss?cve=CVE-2020-4047
epss 0.02606 https://api.first.org/data/v1/epss?cve=CVE-2020-4047
epss 0.02606 https://api.first.org/data/v1/epss?cve=CVE-2020-4047
epss 0.02909 https://api.first.org/data/v1/epss?cve=CVE-2020-4047
epss 0.02909 https://api.first.org/data/v1/epss?cve=CVE-2020-4047
epss 0.02909 https://api.first.org/data/v1/epss?cve=CVE-2020-4047
cvssv2 3.5 https://nvd.nist.gov/vuln/detail/CVE-2020-4047
cvssv3.1 6.8 https://nvd.nist.gov/vuln/detail/CVE-2020-4047
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2020-4047
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25286
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4047
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4049
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4050
https://github.com/WordPress/wordpress-develop/commit/0977c0d6b241479ecedfe19e96be69f727c3f81f
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-8q2w-5m27-wm27
https://lists.debian.org/debian-lts-announce/2020/07/msg00000.html
https://lists.debian.org/debian-lts-announce/2020/09/msg00011.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/
https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
https://www.debian.org/security/2020/dsa-4709
962685 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962685
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
CVE-2020-4047 https://nvd.nist.gov/vuln/detail/CVE-2020-4047
No exploits are available.
Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-4047
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-4047
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.85052
EPSS Score 0.02606
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T10:09:53.235712+00:00 NVD Importer Import https://nvd.nist.gov/vuln/detail/CVE-2020-4047 37.0.0