CVE-2020-35947: WordPress plugin vulnerability

An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. Nearly all of the AJAX action endpoints lacked permission checks, allowing these actions to be executed by anyone authenticated on the site. This happened because nonces were used as a means of authorization, but a nonce was present in a publicly viewable page. The greatest impact was the pagelayer_save_content function that allowed pages to be modified and allowed XSS to occur.

How to mitigate CVE-2020-35947

Time needed: 5 minutes.

Follow the instructions, as they will assist you in mitigating the WordPress vulnerability that been reported in CVE-2020-35947.

  1. Install the latest version of WordPress

    Navigate to the official WordPress website and download the latest version of WordPress. The latest version contains the CVE-2020-35947 fix.
    Update to the latest version

  2. Perform a vulnerability assessment

    Perform a scan on your WordPress environment(s), and check for vulnerabilities. Verify if CVE-2020-35947 has been mitigated.

  3. Utilize the references

    The CVE-2020-35947 references have been provided for a reason. Utilize these references and make sure that you are correctly informed.

References

  • wpscan.com/vulnerability/10239
  • www.wordfence.com/blog/2020/05/high-severity-vulnerabilities-in-pagelayer-plugin-affect-over-200000-wordpress-sites/
  • Share this information