CVE-2021-39202 — Cross-site Scripting in Wordpress Wordpress-develop

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.8%

top 25.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Wordpress-develop Wordpress Debian Wordpress

Timeline

PublishedSep 9

Description

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶debiandebian/wordpress

▶NVDwordpress/wordpress5.8

▶CVEListV5wordpress/wordpress-develop5.8 beta 1, 5.8 beta 2+1

🔴Vulnerability Details

OSV

CVE-2021-39202: WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database↗2021-09-09

▶

📋Vendor Advisories

Debian

CVE-2021-39202: wordpress - WordPress is a free and open-source content management system written in PHP and...↗2021

▶