wordpress is vulnerable to remote code execution (RCE). The vulnerability exists as it allows users with upload permissions to upload files containing malicious scripts via the attachment, leading to an execution of malicious code when a user with higher privilege views the files.
github.com/WordPress/wordpress-develop/commit/0977c0d6b241479ecedfe19e96be69f727c3f81f
github.com/WordPress/wordpress-develop/security/advisories/GHSA-8q2w-5m27-wm27
lists.debian.org/debian-lts-announce/2020/07/msg00000.html
lists.debian.org/debian-lts-announce/2020/09/msg00011.html
lists.fedoraproject.org/archives/list/[email protected]/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/
lists.fedoraproject.org/archives/list/[email protected]/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/
wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
www.debian.org/security/2020/dsa-4709