CVE-2012-3383 — Cross-site Scripting in Wordpress

CWE-2644 documents4 sources

Severity

2.6LOWNVD

EPSS

0.2%

top 63.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress

Timeline

PublishedJul 22

Latest updateMay 17

Description

The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not properly assign the unfiltered_html capability, which allows remote authenticated users to bypass intended access restrictions and conduct cross-site scripting (XSS) attacks by leveraging the Administrator or Editor role and composing crafted text.

CVSS vector

AV:N/AC:H/C:N/I:P/A:NExploitability: 4.9 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 3.4.1+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 3.4.1+dfsg-1+3

▶NVDwordpress/wordpress3.4.0

🔴Vulnerability Details

GHSA

GHSA-56vr-745r-v7wg: The map_meta_cap function in wp-includes/capabilities↗2022-05-17

▶

OSV

CVE-2012-3383: The map_meta_cap function in wp-includes/capabilities↗2012-07-22

▶

📋Vendor Advisories

Debian

CVE-2012-3383: wordpress - The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x bef...↗2012

▶