Security News > 2020 > October > WordPress Patches 3-Year-Old High-Severity RCE Bug
The update patches a high-severity bug, which could allow a remote unauthenticated attacker to take over a targeted website via a narrowly tailored denial-of-service attack.
Of the ten security bugs patched by WordPress a standout flaw, rated high-severity, could be exploited to allow an unauthenticated attacker to execute remote code on systems hosting the vulnerable website.
"The vulnerability allows a remote attacker to compromise the affected website," WordPress wrote in its bulletin posted Friday.
A successful attack lets a remote attacker steal sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks, according to WordPress.
Because of insufficient WordPress data sanitization of user-supplied data to an affected website, the security release said a remote attacker "Can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website."