CVE-2021-39201
published 2021-09-09CVE-2021-39201: WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
1.50%
71.1th percentile
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress)
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | wordpress | < wordpress 5.8.1+dfsg1-1 (bookworm) | wordpress 5.8.1+dfsg1-1 (bookworm) |
| wordpress | wordpress | >= 0 < 5.7.3+dfsg1-0+deb11u1 | 5.7.3+dfsg1-0+deb11u1 |
| wordpress | wordpress | >= 0 < 5.8.1+dfsg1-1 | 5.8.1+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.8.1+dfsg1-1 | 5.8.1+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.8.1+dfsg1-1 | 5.8.1+dfsg1-1 |
| wordpress | wordpress | >= 5.0 < 5.8 | 5.8 |
| wordpress | wordpress-develop | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv5.4MEDIUM
vendor_debian7.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2021-39201: wordpress - WordPress is a free and open-source content management system written in PHP and...
vendor_debian·2021·CVSS 7.6
CVE-2021-39201 [HIGH] CVE-2021-39201: wordpress - WordPress is a free and open-source content management system written in PHP and...
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/w
OSV
CVE-2021-39201: WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database
osv·2021-09-09·CVSS 5.4
CVE-2021-39201 [MEDIUM] CVE-2021-39201: WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/w
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-wh69-25hr-h94vhttps://hackerone.com/reports/1142140https://www.debian.org/security/2021/dsa-4985https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-wh69-25hr-h94vhttps://hackerone.com/reports/1142140https://www.debian.org/security/2021/dsa-4985
2021-09-09
Published