CVE-2019-16781 — Cross-site Scripting in Wordpress

CWE-79 — Cross-site Scripting6 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

3.5%

top 12.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress Debian Linux

Timeline

PublishedDec 26

Latest updateJan 21

Description

In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 5.3.2+dfsg1-1 (bookworm)

▶NVDwordpress/wordpress< 5.3.1

▶Debianwordpress/wordpress< 5.3.2+dfsg1-1+3

Also affects: Debian Linux 10.0, 9.0

🔴Vulnerability Details

OSV

CVE-2019-16781: In WordPress before 5↗2019-12-26

▶

📋Vendor Advisories

Debian

CVE-2019-16781: wordpress - In WordPress before 5.3.1, authenticated users with lower privileges (like contr...↗2019

▶

💬Community

Bugzilla

CVE-2019-16781 wordpress: XSS in WordPress block editor (within dashboard) [epel-7]↗2020-01-21

▶

Bugzilla

CVE-2019-16781 wordpress: XSS in WordPress block editor (within dashboard)↗2020-01-21

▶

Bugzilla

CVE-2019-16781 wordpress: XSS in WordPress block editor (within dashboard) [epel-6]↗2020-01-21

▶