Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2024-4439 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Foundation Wordpress
Severity
6.1MEDIUMNVD
CNA7.2
EPSS
90.8%
top 0.37%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedMay 3
Description
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages tha…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7
Affected Packages3 packages
Patches
🔴Vulnerability Details
3OSV▶
CVE-2024-4439: WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6↗2024-05-03
GHSA▶
GHSA-682x-vcqv-v7v6: WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6↗2024-05-03
CVEList▶
CVE-2024-4439: WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6↗2024-05-03
💥Exploits & PoCs
1Nuclei▶
WordPress Core <6.5.2 - Cross-Site Scripting
📋Vendor Advisories
1Debian▶
CVE-2024-4439: wordpress - WordPress Core is vulnerable to Stored Cross-Site Scripting via user display nam...↗2024