cbcvebase.
CVE-2022-4973
published 2024-10-16

CVE-2022-4973: WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress…

PriorityP180medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.46%
36.3th percentile
WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.

Affected

31 ranges· showing 25
VendorProductVersion rangeFixed in
debianwordpress< wordpress 6.0.2+dfsg1-1 (bookworm)wordpress 6.0.2+dfsg1-1 (bookworm)
wordpresswordpress<= 6.0.2
wordpresswordpress>= 0 < 5.7.8+dfsg1-0+deb11u15.7.8+dfsg1-0+deb11u1
wordpresswordpress>= 0 < 6.0.2+dfsg1-16.0.2+dfsg1-1
wordpresswordpress>= 0 < 6.0.2+dfsg1-16.0.2+dfsg1-1
wordpresswordpress>= 0 < 6.0.2+dfsg1-16.0.2+dfsg1-1
wordpress_foundationwordpress<= 3.6.1
wordpress_foundationwordpress3.7 – 3.7.38
wordpress_foundationwordpress3.8 – 3.8.38
wordpress_foundationwordpress3.9 – 3.9.36
wordpress_foundationwordpress4.0 – 4.0.35
wordpress_foundationwordpress4.1 – 4.1.35
wordpress_foundationwordpress4.2 – 4.2.32
wordpress_foundationwordpress4.3 – 4.3.28
wordpress_foundationwordpress4.4 – 4.4.27
wordpress_foundationwordpress4.5 – 4.5.26
wordpress_foundationwordpress4.6 – 4.6.23
wordpress_foundationwordpress4.7 – 4.7.23
wordpress_foundationwordpress4.8 – 4.8.19
wordpress_foundationwordpress4.9 – 4.9.20
wordpress_foundationwordpress5.0 – 5.0.16
wordpress_foundationwordpress5.1 – 5.1.13
wordpress_foundationwordpress5.2 – 5.2.15
wordpress_foundationwordpress5.3 – 5.3.12
wordpress_foundationwordpress5.4 – 5.4.10

Detection & IOCsextracted from sources · hover to see the quote

  • Stored XSS payload executes only when the_meta() function is called on a post or page — focus monitoring/WAF rules on pages rendering custom field metadata via this function
  • Exploitation requires an authenticated user with post/page editor access (Author, Contributor, or Editor role) — audit post meta fields saved by these roles for unsanitized script content
  • ·Vulnerability affects WordPress Core versions up to and including 6.0.2; patched in 6.0.2+dfsg1-1 (Debian bookworm/sid/trixie/forky) and 5.7.8+dfsg1-0+deb11u1 (Debian bullseye)
  • ·The XSS is only triggered when the_meta() is rendered on a page — sites not calling this function are not exposed to the execution vector even if malicious meta values are stored

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
osv5.4MEDIUM
vulncheck4.9MEDIUM
vendor_debian4.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.