CVE-2020-28037: 
NixOS vulnerability analysis and mitigation

CVE-2020-28037 affects WordPress versions before 5.5.2, specifically the isbloginstalled function in wp-includes/functions.php. The vulnerability was discovered by Omar Ganiev and disclosed in October 2020. The issue stems from improper determination of whether WordPress is already installed, which could potentially allow attackers to perform a new installation of WordPress (WordPress News, WPScan).

The vulnerability occurs when the isbloginstalled function in WordPress improperly determines the installation status of WordPress. The attack involves creating a Denial of Service (DoS) condition on the MySQL database, which would make WordPress think it has not been installed, subsequently presenting the installation wizard. According to the original researcher, the attack would be very hard to reproduce. The vulnerability has been assigned a CVSS score of 9.8 (Critical) (Rapid7).

If successfully exploited, this vulnerability could lead to remote code execution (RCE) as well as a denial of service for the existing installation. This means an attacker could potentially take complete control of the affected WordPress site (NVD, CVE).

The vulnerability was fixed in WordPress version 5.5.2. Users are strongly recommended to upgrade to this version or later to protect against this security issue. The fix was also backported to all WordPress versions since 3.7 (WordPress News).