CVE-2021-39201Cross-site Scripting in Wordpress

CWE-79Cross-site Scripting4 documents4 sources
Severity
5.4MEDIUMNVD
CNA7.6
EPSS
0.5%
top 34.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
WordpressDebian WordpressWordpress Wordpress-develop+1 more
Timeline
PublishedSep 9

Description

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly reco

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

debiandebian/wordpress< wordpress 5.8.1+dfsg1-1 (bookworm)
NVDwordpress/wordpress5.05.8
Debianwordpress/wordpress< 5.7.3+dfsg1-0+deb11u1+3
CVEListV5wordpress/wordpress-develop>= 5.0, < 5.8.0

Also affects: Debian Linux 10.0, 11.0

🔴Vulnerability Details

2
CVEList
Authenticated cross-site scripting (XSS) in WordPress editor2021-09-09
OSV
CVE-2021-39201: WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database2021-09-09

📋Vendor Advisories

1
Debian
CVE-2021-39201: wordpress - WordPress is a free and open-source content management system written in PHP and...2021