CVE-2022-4973 — Cross-site Scripting in Foundation Wordpress

CWE-79 — Cross-site Scripting6 documents6 sources

Severity

5.4MEDIUMNVD

CNA4.9VulnCheck4.9

EPSS

1.3%

top 20.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Wordpress Foundation Wordpress

Timeline

PublishedOct 16

Description

WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶Debianwordpress/wordpress< 5.7.8+dfsg1-0+deb11u1+3

▶NVDwordpress/wordpress6.0.2

▶CVEListV5wordpress_foundation/wordpress3.7 — 3.7.38+24

Patches

Patch: core.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-mhf3-8588-hqc6: WordPress Core, in versions up to 6↗2024-10-16

▶

CVEList

WordPress Core < 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via use of the_meta(); function↗2024-10-16

▶

OSV

CVE-2022-4973: WordPress Core, in versions up to 6↗2024-10-16

▶

VulnCheck

WordPress Core the_meta Function Stored Cross-Site Scripting Vulnerability↗2022

▶

📋Vendor Advisories

Debian

CVE-2022-4973: wordpress - WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored C...↗2022

▶