CVE-2020-11029 in WordPress
Summary
by MITRE
In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/06/2025
The vulnerability identified as CVE-2020-11029 represents a critical cross-site scripting flaw within the WordPress content management system that specifically targets the stats() method implementation in the class-wp-object-cache.php file. This vulnerability exists in multiple WordPress versions and allows attackers to inject malicious scripts into web pages viewed by other users, potentially compromising user sessions and enabling unauthorized actions. The flaw stems from insufficient input validation and output escaping mechanisms within the caching system's statistics reporting functionality, which processes user-supplied data without proper sanitization before rendering it in web responses.
The technical exploitation of this vulnerability occurs when malicious actors craft specially formatted input that gets processed through the stats() method, which then fails to properly escape or filter the data before displaying it in the user interface. This creates an environment where attacker-controlled content can be executed in the context of other users' browsers, making it particularly dangerous for administrative interfaces where sensitive operations occur. The vulnerability is classified under CWE-79 as a failure to sanitize user input, specifically manifesting as a cross-site scripting weakness that allows arbitrary script execution. The attack surface is particularly concerning given that WordPress powers over 30% of websites globally, making this vulnerability a prime target for widespread exploitation.
The operational impact of this vulnerability extends beyond simple script injection, as it can enable attackers to perform session hijacking, steal administrative credentials, modify website content, or redirect users to malicious sites. When exploited in administrative contexts, the vulnerability could allow full compromise of WordPress installations, particularly those with elevated user privileges. The patched versions include WordPress 5.4.1 and several previous major releases through minor updates, demonstrating the severity of the issue and the need for immediate patching across all affected versions. This vulnerability aligns with ATT&CK technique T1213.002 for credential access through web application vulnerabilities, and T1566 for initial access through web application attacks, making it a significant threat vector in modern cyberattack campaigns.
Organizations should prioritize immediate patching of all affected WordPress installations, with particular attention to legacy versions that may not receive regular updates. Security teams should implement web application firewalls and input validation measures as additional defenses while monitoring for exploitation attempts. The vulnerability highlights the importance of proper output escaping in caching systems and demonstrates how seemingly benign functionality can become a critical security risk. Regular security audits of WordPress installations should include verification of all caching mechanisms and their handling of user input to prevent similar issues from emerging in the future.