CVE-2019-16780Cross-site Scripting in Wordpress

CWE-79Cross-site Scripting7 documents4 sources
Severity
5.4MEDIUMNVD
EPSS
3.6%
top 12.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
WordpressDebian WordpressDebian Linux
Timeline
PublishedDec 26
Latest updateJan 21

Description

WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly rec

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

debiandebian/wordpress< wordpress 5.3.2+dfsg1-1 (bookworm)
NVDwordpress/wordpress< 5.3.1+1
Debianwordpress/wordpress< 5.3.2+dfsg1-1+3

Also affects: Debian Linux 10.0, 9.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
OSV
CVE-2019-16780: WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed w2019-12-26

📋Vendor Advisories

1
Debian
CVE-2019-16780: wordpress - WordPress users with lower privileges (like contributors) can inject JavaScript ...2019

💬Community

3
Bugzilla
CVE-2019-16780 wordpress: XSS in WordPress block editor2020-01-21
Bugzilla
CVE-2019-16780 wordpress: XSS in WordPress block editor [epel-6]2020-01-21
Bugzilla
CVE-2019-16780 wordpress: XSS in WordPress block editor [epel-7]2020-01-21