cbcvebase.
CVE-2021-39201
published 2021-09-09

CVE-2021-39201: WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an…

PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
1.50%
71.1th percentile
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress)

Affected

9 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianwordpress< wordpress 5.8.1+dfsg1-1 (bookworm)wordpress 5.8.1+dfsg1-1 (bookworm)
wordpresswordpress>= 0 < 5.7.3+dfsg1-0+deb11u15.7.3+dfsg1-0+deb11u1
wordpresswordpress>= 0 < 5.8.1+dfsg1-15.8.1+dfsg1-1
wordpresswordpress>= 0 < 5.8.1+dfsg1-15.8.1+dfsg1-1
wordpresswordpress>= 0 < 5.8.1+dfsg1-15.8.1+dfsg1-1
wordpresswordpress>= 5.0 < 5.85.8
wordpresswordpress-develop

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv5.4MEDIUM
vendor_debian7.6HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.