Search criteria
45 vulnerabilities found for wordpress by wordpress
CVE-2025-58674 (GCVE-0-2025-58674)
Vulnerability from cvelistv5 – Published: 2025-09-23 18:47 – Updated: 2025-10-01 08:35 X_Open Source
VLAI?
Title
WordPress <= 6.8.2 - (Author+) Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.
Severity ?
5.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPress | WordPress |
Affected:
6.8 , ≤ 6.8.2
(custom)
Affected: 6.7 , ≤ 6.7.3 (custom) Affected: 6.6 , ≤ 6.6.3 (custom) Affected: 6.5 , ≤ 6.5.6 (custom) Affected: 6.4 , ≤ 6.4.6 (custom) Affected: 6.3 , ≤ 6.3.6 (custom) Affected: 6.2 , ≤ 6.2.7 (custom) Affected: 6.1 , ≤ 6.1.8 (custom) Affected: 6.0 , ≤ 6.0.10 (custom) Affected: 5.9 , ≤ 5.9.11 (custom) Affected: 5.8 , ≤ 5.8.11 (custom) Affected: 5.7 , ≤ 5.7.13 (custom) Affected: 5.6 , ≤ 5.6.15 (custom) Affected: 5.5 , ≤ 5.5.16 (custom) Affected: 5.4 , ≤ 5.4.17 (custom) Affected: 5.3 , ≤ 5.3.19 (custom) Affected: 5.2 , ≤ 5.2.22 (custom) Affected: 5.1 , ≤ 5.1.20 (custom) Affected: 5.0 , ≤ 5.0.23 (custom) Affected: 4.9 , ≤ 4.9.27 (custom) Affected: 4.8 , ≤ 4.8.26 (custom) Affected: 4.7 , ≤ 4.7.30 (custom) |
Credits
savphill (Patchstack Bug Bounty Program)
John Blackbourn (WordPress core security team lead)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58674",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T19:15:09.886956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T19:17:35.099Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress",
"repo": "https://github.com/WordPress/WordPress",
"vendor": "WordPress",
"versions": [
{
"changes": [
{
"at": "6.8.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.8.2",
"status": "affected",
"version": "6.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.7.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.7.3",
"status": "affected",
"version": "6.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.6.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.6.3",
"status": "affected",
"version": "6.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.5.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.6",
"status": "affected",
"version": "6.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.4.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.6",
"status": "affected",
"version": "6.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.3.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.3.6",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.7",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.1.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.1.8",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.0.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.10",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.9.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.11",
"status": "affected",
"version": "5.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.8.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.8.11",
"status": "affected",
"version": "5.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.7.14",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.7.13",
"status": "affected",
"version": "5.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.6.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.6.15",
"status": "affected",
"version": "5.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.5.17",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.5.16",
"status": "affected",
"version": "5.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.4.18",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.4.17",
"status": "affected",
"version": "5.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.3.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.3.19",
"status": "affected",
"version": "5.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.2.23",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.2.22",
"status": "affected",
"version": "5.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.1.21",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.1.20",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.0.24",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.23",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.9.28",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.9.27",
"status": "affected",
"version": "4.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.8.27",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.8.26",
"status": "affected",
"version": "4.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.7.31",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.7.30",
"status": "affected",
"version": "4.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "savphill (Patchstack Bug Bounty Program)"
},
{
"lang": "en",
"type": "coordinator",
"value": "John Blackbourn (WordPress core security team lead)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.\u003c/span\u003e\u003cp\u003eThis issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T08:35:39.048Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
},
{
"tags": [
"release-notes"
],
"url": "https://wordpress.org/news/2025/09/wordpress-6-8-3-release/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31."
}
],
"value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress \u003c= 6.8.2 - (Author+) Cross Site Scripting (XSS) Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-58674",
"datePublished": "2025-09-23T18:47:02.628Z",
"dateReserved": "2025-09-03T09:03:46.831Z",
"dateUpdated": "2025-10-01T08:35:39.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58246 (GCVE-0-2025-58246)
Vulnerability from cvelistv5 – Published: 2025-09-23 17:17 – Updated: 2025-10-01 08:37 X_Open Source
VLAI?
Title
WordPress <= 6.8.2 - (Contributor+) Sensitive Data Exposure Vulnerability
Summary
Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it.
This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.
Severity ?
4.3 (Medium)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPress | WordPress |
Affected:
6.8 , ≤ 6.8.2
(custom)
Affected: 6.7 , ≤ 6.7.3 (custom) Affected: 6.6 , ≤ 6.6.3 (custom) Affected: 6.5 , ≤ 6.5.6 (custom) Affected: 6.4 , ≤ 6.4.6 (custom) Affected: 6.3 , ≤ 6.3.6 (custom) Affected: 6.2 , ≤ 6.2.7 (custom) Affected: 6.1 , ≤ 6.1.8 (custom) Affected: 6.0 , ≤ 6.0.10 (custom) Affected: 5.9 , ≤ 5.9.11 (custom) Affected: 5.8 , ≤ 5.8.11 (custom) Affected: 5.7 , ≤ 5.7.13 (custom) Affected: 5.6 , ≤ 5.6.15 (custom) Affected: 5.5 , ≤ 5.5.16 (custom) Affected: 5.4 , ≤ 5.4.17 (custom) Affected: 5.3 , ≤ 5.3.19 (custom) Affected: 5.2 , ≤ 5.2.22 (custom) Affected: 5.1 , ≤ 5.1.20 (custom) Affected: 5.0 , ≤ 5.0.23 (custom) Affected: 4.9 , ≤ 4.9.27 (custom) Affected: 4.8 , ≤ 4.8.26 (custom) Affected: 4.7 , ≤ 4.7.30 (custom) |
Credits
Abu Hurayra (Patchstack Bug Bounty Program)
John Blackbourn (WordPress core security team lead)
Timothy Jacobs
Peter Wilson
Mike Nelson
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T18:30:39.501670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T18:37:38.153Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress",
"repo": "https://github.com/WordPress/WordPress",
"vendor": "WordPress",
"versions": [
{
"changes": [
{
"at": "6.8.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.8.2",
"status": "affected",
"version": "6.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.7.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.7.3",
"status": "affected",
"version": "6.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.6.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.6.3",
"status": "affected",
"version": "6.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.5.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.6",
"status": "affected",
"version": "6.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.4.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.6",
"status": "affected",
"version": "6.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.3.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.3.6",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.7",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.1.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.1.8",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.0.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.10",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.9.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.11",
"status": "affected",
"version": "5.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.8.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.8.11",
"status": "affected",
"version": "5.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.7.14",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.7.13",
"status": "affected",
"version": "5.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.6.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.6.15",
"status": "affected",
"version": "5.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.5.17",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.5.16",
"status": "affected",
"version": "5.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.4.18",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.4.17",
"status": "affected",
"version": "5.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.3.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.3.19",
"status": "affected",
"version": "5.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.2.23",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.2.22",
"status": "affected",
"version": "5.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.1.21",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.1.20",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.0.24",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.23",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.9.28",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.9.27",
"status": "affected",
"version": "4.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.8.27",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.8.26",
"status": "affected",
"version": "4.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.7.31",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.7.30",
"status": "affected",
"version": "4.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abu Hurayra (Patchstack Bug Bounty Program)"
},
{
"lang": "en",
"type": "coordinator",
"value": "John Blackbourn (WordPress core security team lead)"
},
{
"lang": "en",
"type": "reporter",
"value": "Timothy Jacobs"
},
{
"lang": "en",
"type": "reporter",
"value": "Peter Wilson"
},
{
"lang": "en",
"type": "reporter",
"value": "Mike Nelson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInsertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it.\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.\u003c/p\u003e"
}
],
"value": "Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it.\nThis issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T08:37:01.207Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-sensitive-data-exposure-vulnerability?_s_id=cve"
},
{
"tags": [
"release-notes"
],
"url": "https://wordpress.org/news/2025/09/wordpress-6-8-3-release/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31."
}
],
"value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress \u003c= 6.8.2 - (Contributor+) Sensitive Data Exposure Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-58246",
"datePublished": "2025-09-23T17:17:12.399Z",
"dateReserved": "2025-08-27T16:19:44.959Z",
"dateUpdated": "2025-10-01T08:37:01.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54352 (GCVE-0-2025-54352)
Vulnerability from cvelistv5 – Published: 2025-07-21 00:00 – Updated: 2025-07-21 18:15
VLAI?
Summary
WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior.
Severity ?
CWE
- CWE-669 - Incorrect Resource Transfer Between Spheres
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54352",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-21T18:14:44.588087Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T18:15:20.785Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "WordPress",
"vendor": "WordPress",
"versions": [
{
"lessThanOrEqual": "6.8.2",
"status": "affected",
"version": "3.5",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*",
"versionEndIncluding": "6.8.2",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-669",
"description": "CWE-669 Incorrect Resource Transfer Between Spheres",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T04:27:10.814Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.imperva.com/blog/beware-a-threat-actor-could-steal-the-titles-of-your-private-and-draft-wordpress-posts/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-54352",
"datePublished": "2025-07-21T00:00:00.000Z",
"dateReserved": "2025-07-21T00:00:00.000Z",
"dateUpdated": "2025-07-21T18:15:20.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5561 (GCVE-0-2023-5561)
Vulnerability from cvelistv5 – Published: 2023-10-16 19:39 – Updated: 2025-04-23 16:12
VLAI?
Title
WordPress < 6.3.2 - Unauthenticated Post Author Email Disclosure
Summary
WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack
Severity ?
5.3 (Medium)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPress | WordPress |
Affected:
6.3.0 , < 6.3.2
(semver)
Affected: 6.2.0 , < 6.2.3 (semver) Affected: 6.1.0 , < 6.1.4 (semver) Affected: 6.0.0 , < 6.0.6 (semver) Affected: 5.9.0 , < 5.9.8 (semver) Affected: 5.8.0 , < 5.8.8 (semver) Affected: 5.7.0 , < 5.7.10 (semver) Affected: 5.6.0 , < 5.6.12 (semver) Affected: 5.5.0 , < 5.5.13 (semver) Affected: 5.4.0 , < 5.4.14 (semver) Affected: 5.3.0 , < 5.3.16 (semver) Affected: 5.2.0 , < 5.2.19 (semver) Affected: 5.0.0 , < 5.0.20 (semver) Affected: 4.9.0 , < 4.9.24 (semver) Affected: 4.8.0 , < 4.8.23 (semver) Affected: 4.7.0 , < 4.7.27 (semver) |
Credits
Marc Montpas
WPScan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.898Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441"
},
{
"tags": [
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00014.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-5561",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T16:07:50.654852Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:12:25.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress",
"vendor": "WordPress",
"versions": [
{
"lessThan": "6.3.2",
"status": "affected",
"version": "6.3.0",
"versionType": "semver"
},
{
"lessThan": "6.2.3",
"status": "affected",
"version": "6.2.0",
"versionType": "semver"
},
{
"lessThan": "6.1.4",
"status": "affected",
"version": "6.1.0",
"versionType": "semver"
},
{
"lessThan": "6.0.6",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "5.9.8",
"status": "affected",
"version": "5.9.0",
"versionType": "semver"
},
{
"lessThan": "5.8.8",
"status": "affected",
"version": "5.8.0",
"versionType": "semver"
},
{
"lessThan": "5.7.10",
"status": "affected",
"version": "5.7.0",
"versionType": "semver"
},
{
"lessThan": "5.6.12",
"status": "affected",
"version": "5.6.0",
"versionType": "semver"
},
{
"lessThan": "5.5.13",
"status": "affected",
"version": "5.5.0",
"versionType": "semver"
},
{
"lessThan": "5.4.14",
"status": "affected",
"version": "5.4.0",
"versionType": "semver"
},
{
"lessThan": "5.3.16",
"status": "affected",
"version": "5.3.0",
"versionType": "semver"
},
{
"lessThan": "5.2.19",
"status": "affected",
"version": "5.2.0",
"versionType": "semver"
},
{
"lessThan": "5.0.20",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
},
{
"lessThan": "4.9.24",
"status": "affected",
"version": "4.9.0",
"versionType": "semver"
},
{
"lessThan": "4.8.23",
"status": "affected",
"version": "4.8.0",
"versionType": "semver"
},
{
"lessThan": "4.7.27",
"status": "affected",
"version": "4.7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marc Montpas"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-20T23:06:10.636Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441"
},
{
"tags": [
"technical-description"
],
"url": "https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00014.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress \u003c 6.3.2 - Unauthenticated Post Author Email Disclosure",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2023-5561",
"datePublished": "2023-10-16T19:39:10.424Z",
"dateReserved": "2023-10-12T17:42:19.461Z",
"dateUpdated": "2025-04-23T16:12:25.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3590 (GCVE-0-2022-3590)
Vulnerability from cvelistv5 – Published: 2022-12-14 08:33 – Updated: 2025-04-21 14:12
VLAI?
Title
WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding
Summary
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
Severity ?
5.9 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
Thomas Chauchefoin
WPScan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:14:02.086Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3590",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-21T14:10:54.697734Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T14:12:02.956Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "WordPress",
"vendor": "WordPress",
"versions": [
{
"lessThanOrEqual": "6.1.1",
"status": "affected",
"version": "4.1.30",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thomas Chauchefoin"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
},
{
"description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-10T09:10:27.114Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11"
},
{
"url": "https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WP \u003c= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3590",
"datePublished": "2022-12-14T08:33:40.434Z",
"dateReserved": "2022-10-18T14:10:29.395Z",
"dateUpdated": "2025-04-21T14:12:02.956Z",
"requesterUserId": "dc9e157c-ddf1-4983-adaf-9f01d16b5e04",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11026 (GCVE-0-2020-11026)
Vulnerability from cvelistv5 – Published: 2020-04-30 22:15 – Updated: 2024-08-04 11:21
VLAI?
Title
Specially crafted filenames in WordPress leading to XSS
Summary
In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
Severity ?
8.7 (High)
CWE
- CWE-707 - Improper Neutralization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPress | WordPress |
Affected:
>= 5.4.0, < 5.4.1
Affected: >= 5.3.0, < 5.3.3 Affected: >= 5.2.0, < 5.2.6 Affected: >= 5.1.0, < 5.1.5 Affected: >= 5.0.0, < 5.0.9 Affected: >= 4.9.0, < 4.9.14 Affected: >= 4.8.0, < 4.8.13 Affected: >= 4.7.0, < 4.7.17 Affected: >= 4.6.0, < 4.6.18 Affected: >= 4.5.0, < 4.5.21 Affected: >= 4.4.0, < 4.4.22 Affected: >= 4.3.0, < 4.3.23 Affected: >= 4.2.0, < 4.2.27 Affected: >= 4.1.0, < 4.1.30 Affected: >= 4.0.0, < 4.0.30 Affected: >= 3.9.0, < 3.9.31 Affected: >= 3.8.0, < 3.8.33 Affected: >= 3.7.0, < 3.7.33 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:14.284Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2"
},
{
"name": "DSA-4677",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4677"
},
{
"name": "[debian-lts-announce] 20200511 [SECURITY] [DLA 2208-1] wordpress security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WordPress",
"vendor": "WordPress",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.4.0, \u003c 5.4.1"
},
{
"status": "affected",
"version": "\u003e= 5.3.0, \u003c 5.3.3"
},
{
"status": "affected",
"version": "\u003e= 5.2.0, \u003c 5.2.6"
},
{
"status": "affected",
"version": "\u003e= 5.1.0, \u003c 5.1.5"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.9"
},
{
"status": "affected",
"version": "\u003e= 4.9.0, \u003c 4.9.14"
},
{
"status": "affected",
"version": "\u003e= 4.8.0, \u003c 4.8.13"
},
{
"status": "affected",
"version": "\u003e= 4.7.0, \u003c 4.7.17"
},
{
"status": "affected",
"version": "\u003e= 4.6.0, \u003c 4.6.18"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.21"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.22"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.23"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.27"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.30"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.30"
},
{
"status": "affected",
"version": "\u003e= 3.9.0, \u003c 3.9.31"
},
{
"status": "affected",
"version": "\u003e= 3.8.0, \u003c 3.8.33"
},
{
"status": "affected",
"version": "\u003e= 3.7.0, \u003c 3.7.33"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-707",
"description": "CWE-707: Improper Neutralization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-11T15:06:03.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2"
},
{
"name": "DSA-4677",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4677"
},
{
"name": "[debian-lts-announce] 20200511 [SECURITY] [DLA 2208-1] wordpress security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html"
}
],
"source": {
"advisory": "GHSA-3gw2-4656-pfr2",
"discovery": "UNKNOWN"
},
"title": "Specially crafted filenames in WordPress leading to XSS",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-11026",
"STATE": "PUBLIC",
"TITLE": "Specially crafted filenames in WordPress leading to XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WordPress",
"version": {
"version_data": [
{
"version_value": "\u003e= 5.4.0, \u003c 5.4.1"
},
{
"version_value": "\u003e= 5.3.0, \u003c 5.3.3"
},
{
"version_value": "\u003e= 5.2.0, \u003c 5.2.6"
},
{
"version_value": "\u003e= 5.1.0, \u003c 5.1.5"
},
{
"version_value": "\u003e= 5.0.0, \u003c 5.0.9"
},
{
"version_value": "\u003e= 4.9.0, \u003c 4.9.14"
},
{
"version_value": "\u003e= 4.8.0, \u003c 4.8.13"
},
{
"version_value": "\u003e= 4.7.0, \u003c 4.7.17"
},
{
"version_value": "\u003e= 4.6.0, \u003c 4.6.18"
},
{
"version_value": "\u003e= 4.5.0, \u003c 4.5.21"
},
{
"version_value": "\u003e= 4.4.0, \u003c 4.4.22"
},
{
"version_value": "\u003e= 4.3.0, \u003c 4.3.23"
},
{
"version_value": "\u003e= 4.2.0, \u003c 4.2.27"
},
{
"version_value": "\u003e= 4.1.0, \u003c 4.1.30"
},
{
"version_value": "\u003e= 4.0.0, \u003c 4.0.30"
},
{
"version_value": "\u003e= 3.9.0, \u003c 3.9.31"
},
{
"version_value": "\u003e= 3.8.0, \u003c 3.8.33"
},
{
"version_value": "\u003e= 3.7.0, \u003c 3.7.33"
}
]
}
}
]
},
"vendor_name": "WordPress"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-707: Improper Neutralization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates",
"refsource": "MISC",
"url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates"
},
{
"name": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2",
"refsource": "CONFIRM",
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2"
},
{
"name": "DSA-4677",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4677"
},
{
"name": "[debian-lts-announce] 20200511 [SECURITY] [DLA 2208-1] wordpress security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html"
}
]
},
"source": {
"advisory": "GHSA-3gw2-4656-pfr2",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-11026",
"datePublished": "2020-04-30T22:15:32.000Z",
"dateReserved": "2020-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:21:14.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11028 (GCVE-0-2020-11028)
Vulnerability from cvelistv5 – Published: 2020-04-30 22:15 – Updated: 2024-08-04 11:21
VLAI?
Title
Unauthenticated disclosure of certain private posts in WordPress
Summary
In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
Severity ?
5.8 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPress | WordPress |
Affected:
>= 5.4.0, < 5.4.1
Affected: >= 5.3.0, < 5.3.3 Affected: >= 5.2.0, < 5.2.6 Affected: >= 5.1.0, < 5.1.5 Affected: >= 5.0.0, < 5.0.9 Affected: >= 4.9.0, < 4.9.14 Affected: >= 4.8.0, < 4.8.13 Affected: >= 4.7.0, < 4.7.17 Affected: >= 4.6.0, < 4.6.18 Affected: >= 4.5.0, < 4.5.21 Affected: >= 4.4.0, < 4.4.22 Affected: >= 4.3.0, < 4.3.23 Affected: >= 4.2.0, < 4.2.27 Affected: >= 4.1.0, < 4.1.30 Affected: >= 4.0.0, < 4.0.30 Affected: >= 3.9.0, < 3.9.31 Affected: >= 3.8.0, < 3.8.33 Affected: >= 3.7.0, < 3.7.33 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:14.277Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w"
},
{
"name": "DSA-4677",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4677"
},
{
"name": "[debian-lts-announce] 20200511 [SECURITY] [DLA 2208-1] wordpress security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WordPress",
"vendor": "WordPress",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.4.0, \u003c 5.4.1"
},
{
"status": "affected",
"version": "\u003e= 5.3.0, \u003c 5.3.3"
},
{
"status": "affected",
"version": "\u003e= 5.2.0, \u003c 5.2.6"
},
{
"status": "affected",
"version": "\u003e= 5.1.0, \u003c 5.1.5"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.9"
},
{
"status": "affected",
"version": "\u003e= 4.9.0, \u003c 4.9.14"
},
{
"status": "affected",
"version": "\u003e= 4.8.0, \u003c 4.8.13"
},
{
"status": "affected",
"version": "\u003e= 4.7.0, \u003c 4.7.17"
},
{
"status": "affected",
"version": "\u003e= 4.6.0, \u003c 4.6.18"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.21"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.22"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.23"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.27"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.30"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.30"
},
{
"status": "affected",
"version": "\u003e= 3.9.0, \u003c 3.9.31"
},
{
"status": "affected",
"version": "\u003e= 3.8.0, \u003c 3.8.33"
},
{
"status": "affected",
"version": "\u003e= 3.7.0, \u003c 3.7.33"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-11T15:06:02.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w"
},
{
"name": "DSA-4677",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4677"
},
{
"name": "[debian-lts-announce] 20200511 [SECURITY] [DLA 2208-1] wordpress security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html"
}
],
"source": {
"advisory": "GHSA-xhx9-759f-6p2w",
"discovery": "UNKNOWN"
},
"title": "Unauthenticated disclosure of certain private posts in WordPress",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-11028",
"STATE": "PUBLIC",
"TITLE": "Unauthenticated disclosure of certain private posts in WordPress"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WordPress",
"version": {
"version_data": [
{
"version_value": "\u003e= 5.4.0, \u003c 5.4.1"
},
{
"version_value": "\u003e= 5.3.0, \u003c 5.3.3"
},
{
"version_value": "\u003e= 5.2.0, \u003c 5.2.6"
},
{
"version_value": "\u003e= 5.1.0, \u003c 5.1.5"
},
{
"version_value": "\u003e= 5.0.0, \u003c 5.0.9"
},
{
"version_value": "\u003e= 4.9.0, \u003c 4.9.14"
},
{
"version_value": "\u003e= 4.8.0, \u003c 4.8.13"
},
{
"version_value": "\u003e= 4.7.0, \u003c 4.7.17"
},
{
"version_value": "\u003e= 4.6.0, \u003c 4.6.18"
},
{
"version_value": "\u003e= 4.5.0, \u003c 4.5.21"
},
{
"version_value": "\u003e= 4.4.0, \u003c 4.4.22"
},
{
"version_value": "\u003e= 4.3.0, \u003c 4.3.23"
},
{
"version_value": "\u003e= 4.2.0, \u003c 4.2.27"
},
{
"version_value": "\u003e= 4.1.0, \u003c 4.1.30"
},
{
"version_value": "\u003e= 4.0.0, \u003c 4.0.30"
},
{
"version_value": "\u003e= 3.9.0, \u003c 3.9.31"
},
{
"version_value": "\u003e= 3.8.0, \u003c 3.8.33"
},
{
"version_value": "\u003e= 3.7.0, \u003c 3.7.33"
}
]
}
}
]
},
"vendor_name": "WordPress"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates",
"refsource": "MISC",
"url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates"
},
{
"name": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w",
"refsource": "CONFIRM",
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w"
},
{
"name": "DSA-4677",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4677"
},
{
"name": "[debian-lts-announce] 20200511 [SECURITY] [DLA 2208-1] wordpress security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html"
}
]
},
"source": {
"advisory": "GHSA-xhx9-759f-6p2w",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-11028",
"datePublished": "2020-04-30T22:15:23.000Z",
"dateReserved": "2020-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:21:14.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11029 (GCVE-0-2020-11029)
Vulnerability from cvelistv5 – Published: 2020-04-30 22:15 – Updated: 2024-08-04 11:21
VLAI?
Title
Cross-site scripting in stats method (object cache) in WordPress
Summary
In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
Severity ?
5.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPress | WordPress |
Affected:
>= 5.4.0, < 5.4.1
Affected: >= 5.3.0, < 5.3.3 Affected: >= 5.2.0, < 5.2.6 Affected: >= 5.1.0, < 5.1.5 Affected: >= 5.0.0, < 5.0.9 Affected: >= 4.9.0, < 4.9.14 Affected: >= 4.8.0, < 4.8.13 Affected: >= 4.7.0, < 4.7.17 Affected: >= 4.6.0, < 4.6.18 Affected: >= 4.5.0, < 4.5.21 Affected: >= 4.4.0, < 4.4.22 Affected: >= 4.3.0, < 4.3.23 Affected: >= 4.2.0, < 4.2.27 Affected: >= 4.1.0, < 4.1.30 Affected: >= 4.0.0, < 4.0.30 Affected: >= 3.9.0, < 3.9.31 Affected: >= 3.8.0, < 3.8.33 Affected: >= 3.7.0, < 3.7.33 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:14.187Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c"
},
{
"name": "DSA-4677",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4677"
},
{
"name": "[debian-lts-announce] 20200511 [SECURITY] [DLA 2208-1] wordpress security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WordPress",
"vendor": "WordPress",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.4.0, \u003c 5.4.1"
},
{
"status": "affected",
"version": "\u003e= 5.3.0, \u003c 5.3.3"
},
{
"status": "affected",
"version": "\u003e= 5.2.0, \u003c 5.2.6"
},
{
"status": "affected",
"version": "\u003e= 5.1.0, \u003c 5.1.5"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.9"
},
{
"status": "affected",
"version": "\u003e= 4.9.0, \u003c 4.9.14"
},
{
"status": "affected",
"version": "\u003e= 4.8.0, \u003c 4.8.13"
},
{
"status": "affected",
"version": "\u003e= 4.7.0, \u003c 4.7.17"
},
{
"status": "affected",
"version": "\u003e= 4.6.0, \u003c 4.6.18"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.21"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.22"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.23"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.27"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.30"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.30"
},
{
"status": "affected",
"version": "\u003e= 3.9.0, \u003c 3.9.31"
},
{
"status": "affected",
"version": "\u003e= 3.8.0, \u003c 3.8.33"
},
{
"status": "affected",
"version": "\u003e= 3.7.0, \u003c 3.7.33"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-11T15:06:04.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c"
},
{
"name": "DSA-4677",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4677"
},
{
"name": "[debian-lts-announce] 20200511 [SECURITY] [DLA 2208-1] wordpress security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html"
}
],
"source": {
"advisory": "GHSA-568w-8m88-8g2c",
"discovery": "UNKNOWN"
},
"title": "Cross-site scripting in stats method (object cache) in WordPress",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-11029",
"STATE": "PUBLIC",
"TITLE": "Cross-site scripting in stats method (object cache) in WordPress"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WordPress",
"version": {
"version_data": [
{
"version_value": "\u003e= 5.4.0, \u003c 5.4.1"
},
{
"version_value": "\u003e= 5.3.0, \u003c 5.3.3"
},
{
"version_value": "\u003e= 5.2.0, \u003c 5.2.6"
},
{
"version_value": "\u003e= 5.1.0, \u003c 5.1.5"
},
{
"version_value": "\u003e= 5.0.0, \u003c 5.0.9"
},
{
"version_value": "\u003e= 4.9.0, \u003c 4.9.14"
},
{
"version_value": "\u003e= 4.8.0, \u003c 4.8.13"
},
{
"version_value": "\u003e= 4.7.0, \u003c 4.7.17"
},
{
"version_value": "\u003e= 4.6.0, \u003c 4.6.18"
},
{
"version_value": "\u003e= 4.5.0, \u003c 4.5.21"
},
{
"version_value": "\u003e= 4.4.0, \u003c 4.4.22"
},
{
"version_value": "\u003e= 4.3.0, \u003c 4.3.23"
},
{
"version_value": "\u003e= 4.2.0, \u003c 4.2.27"
},
{
"version_value": "\u003e= 4.1.0, \u003c 4.1.30"
},
{
"version_value": "\u003e= 4.0.0, \u003c 4.0.30"
},
{
"version_value": "\u003e= 3.9.0, \u003c 3.9.31"
},
{
"version_value": "\u003e= 3.8.0, \u003c 3.8.33"
},
{
"version_value": "\u003e= 3.7.0, \u003c 3.7.33"
}
]
}
}
]
},
"vendor_name": "WordPress"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates",
"refsource": "MISC",
"url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates"
},
{
"name": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c",
"refsource": "CONFIRM",
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c"
},
{
"name": "DSA-4677",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4677"
},
{
"name": "[debian-lts-announce] 20200511 [SECURITY] [DLA 2208-1] wordpress security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html"
}
]
},
"source": {
"advisory": "GHSA-568w-8m88-8g2c",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-11029",
"datePublished": "2020-04-30T22:15:18.000Z",
"dateReserved": "2020-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:21:14.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11030 (GCVE-0-2020-11030)
Vulnerability from cvelistv5 – Published: 2020-04-30 22:15 – Updated: 2024-08-04 11:21
VLAI?
Title
Cross-site scripting (XSS) in Search block in WordPress
Summary
In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
Severity ?
6.4 (Medium)
CWE
- CWE-707 - Improper Neutralization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPress | WordPress |
Affected:
>= 5.4.0, < 5.4.1
Affected: >= 5.3.0, < 5.3.3 Affected: >= 5.2.0, < 5.2.6 Affected: >= 5.1.0, < 5.1.5 Affected: >= 5.0.0, < 5.0.9 Affected: >= 4.9.0, < 4.9.14 Affected: >= 4.8.0, < 4.8.13 Affected: >= 4.7.0, < 4.7.17 Affected: >= 4.6.0, < 4.6.18 Affected: >= 4.5.0, < 4.5.21 Affected: >= 4.4.0, < 4.4.22 Affected: >= 4.3.0, < 4.3.23 Affected: >= 4.2.0, < 4.2.27 Affected: >= 4.1.0, < 4.1.30 Affected: >= 4.0.0, < 4.0.30 Affected: >= 3.9.0, < 3.9.31 Affected: >= 3.8.0, < 3.8.33 Affected: >= 3.7.0, < 3.7.33 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:14.171Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-vccm-6gmc-qhjh"
},
{
"name": "DSA-4677",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4677"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WordPress",
"vendor": "WordPress",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.4.0, \u003c 5.4.1"
},
{
"status": "affected",
"version": "\u003e= 5.3.0, \u003c 5.3.3"
},
{
"status": "affected",
"version": "\u003e= 5.2.0, \u003c 5.2.6"
},
{
"status": "affected",
"version": "\u003e= 5.1.0, \u003c 5.1.5"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.9"
},
{
"status": "affected",
"version": "\u003e= 4.9.0, \u003c 4.9.14"
},
{
"status": "affected",
"version": "\u003e= 4.8.0, \u003c 4.8.13"
},
{
"status": "affected",
"version": "\u003e= 4.7.0, \u003c 4.7.17"
},
{
"status": "affected",
"version": "\u003e= 4.6.0, \u003c 4.6.18"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.21"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.22"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.23"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.27"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.30"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.30"
},
{
"status": "affected",
"version": "\u003e= 3.9.0, \u003c 3.9.31"
},
{
"status": "affected",
"version": "\u003e= 3.8.0, \u003c 3.8.33"
},
{
"status": "affected",
"version": "\u003e= 3.7.0, \u003c 3.7.33"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-707",
"description": "CWE-707: Improper Neutralization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-06T12:06:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-vccm-6gmc-qhjh"
},
{
"name": "DSA-4677",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4677"
}
],
"source": {
"advisory": "GHSA-vccm-6gmc-qhjh",
"discovery": "UNKNOWN"
},
"title": "Cross-site scripting (XSS) in Search block in WordPress",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-11030",
"STATE": "PUBLIC",
"TITLE": "Cross-site scripting (XSS) in Search block in WordPress"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WordPress",
"version": {
"version_data": [
{
"version_value": "\u003e= 5.4.0, \u003c 5.4.1"
},
{
"version_value": "\u003e= 5.3.0, \u003c 5.3.3"
},
{
"version_value": "\u003e= 5.2.0, \u003c 5.2.6"
},
{
"version_value": "\u003e= 5.1.0, \u003c 5.1.5"
},
{
"version_value": "\u003e= 5.0.0, \u003c 5.0.9"
},
{
"version_value": "\u003e= 4.9.0, \u003c 4.9.14"
},
{
"version_value": "\u003e= 4.8.0, \u003c 4.8.13"
},
{
"version_value": "\u003e= 4.7.0, \u003c 4.7.17"
},
{
"version_value": "\u003e= 4.6.0, \u003c 4.6.18"
},
{
"version_value": "\u003e= 4.5.0, \u003c 4.5.21"
},
{
"version_value": "\u003e= 4.4.0, \u003c 4.4.22"
},
{
"version_value": "\u003e= 4.3.0, \u003c 4.3.23"
},
{
"version_value": "\u003e= 4.2.0, \u003c 4.2.27"
},
{
"version_value": "\u003e= 4.1.0, \u003c 4.1.30"
},
{
"version_value": "\u003e= 4.0.0, \u003c 4.0.30"
},
{
"version_value": "\u003e= 3.9.0, \u003c 3.9.31"
},
{
"version_value": "\u003e= 3.8.0, \u003c 3.8.33"
},
{
"version_value": "\u003e= 3.7.0, \u003c 3.7.33"
}
]
}
}
]
},
"vendor_name": "WordPress"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-707: Improper Neutralization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates",
"refsource": "MISC",
"url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates"
},
{
"name": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-vccm-6gmc-qhjh",
"refsource": "CONFIRM",
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-vccm-6gmc-qhjh"
},
{
"name": "DSA-4677",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4677"
}
]
},
"source": {
"advisory": "GHSA-vccm-6gmc-qhjh",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-11030",
"datePublished": "2020-04-30T22:15:14.000Z",
"dateReserved": "2020-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:21:14.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11025 (GCVE-0-2020-11025)
Vulnerability from cvelistv5 – Published: 2020-04-30 22:10 – Updated: 2024-08-04 11:21
VLAI?
Title
Authenticated cross-site scripting (XSS) in WordPress Customizer
Summary
In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
Severity ?
5.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPress | WordPress |
Affected:
>= 5.4.0, < 5.4.1
Affected: >= 5.3.0, < 5.3.3 Affected: >= 5.2.0, < 5.2.6 Affected: >= 5.1.0, < 5.1.5 Affected: >= 5.0.0, < 5.0.9 Affected: >= 4.9.0, < 4.9.14 Affected: >= 4.8.0, < 4.8.13 Affected: >= 4.7.0, < 4.7.17 Affected: >= 4.6.0, < 4.6.18 Affected: >= 4.5.0, < 4.5.21 Affected: >= 4.4.0, < 4.4.22 Affected: >= 4.3.0, < 4.3.23 Affected: >= 4.2.0, < 4.2.27 Affected: >= 4.1.0, < 4.1.30 Affected: >= 4.0.0, < 4.0.30 Affected: >= 3.9.0, < 3.9.31 Affected: >= 3.8.0, < 3.8.33 Affected: >= 3.7.0, < 3.7.33 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:14.581Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates"
},
{
"name": "DSA-4677",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4677"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WordPress",
"vendor": "WordPress",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.4.0, \u003c 5.4.1"
},
{
"status": "affected",
"version": "\u003e= 5.3.0, \u003c 5.3.3"
},
{
"status": "affected",
"version": "\u003e= 5.2.0, \u003c 5.2.6"
},
{
"status": "affected",
"version": "\u003e= 5.1.0, \u003c 5.1.5"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.9"
},
{
"status": "affected",
"version": "\u003e= 4.9.0, \u003c 4.9.14"
},
{
"status": "affected",
"version": "\u003e= 4.8.0, \u003c 4.8.13"
},
{
"status": "affected",
"version": "\u003e= 4.7.0, \u003c 4.7.17"
},
{
"status": "affected",
"version": "\u003e= 4.6.0, \u003c 4.6.18"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.21"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.22"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.23"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.27"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.30"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.30"
},
{
"status": "affected",
"version": "\u003e= 3.9.0, \u003c 3.9.31"
},
{
"status": "affected",
"version": "\u003e= 3.8.0, \u003c 3.8.33"
},
{
"status": "affected",
"version": "\u003e= 3.7.0, \u003c 3.7.33"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-06T12:06:15.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates"
},
{
"name": "DSA-4677",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4677"
}
],
"source": {
"advisory": "GHSA-4mhg-j6fx-5g3c",
"discovery": "UNKNOWN"
},
"title": "Authenticated cross-site scripting (XSS) in WordPress Customizer",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-11025",
"STATE": "PUBLIC",
"TITLE": "Authenticated cross-site scripting (XSS) in WordPress Customizer"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WordPress",
"version": {
"version_data": [
{
"version_value": "\u003e= 5.4.0, \u003c 5.4.1"
},
{
"version_value": "\u003e= 5.3.0, \u003c 5.3.3"
},
{
"version_value": "\u003e= 5.2.0, \u003c 5.2.6"
},
{
"version_value": "\u003e= 5.1.0, \u003c 5.1.5"
},
{
"version_value": "\u003e= 5.0.0, \u003c 5.0.9"
},
{
"version_value": "\u003e= 4.9.0, \u003c 4.9.14"
},
{
"version_value": "\u003e= 4.8.0, \u003c 4.8.13"
},
{
"version_value": "\u003e= 4.7.0, \u003c 4.7.17"
},
{
"version_value": "\u003e= 4.6.0, \u003c 4.6.18"
},
{
"version_value": "\u003e= 4.5.0, \u003c 4.5.21"
},
{
"version_value": "\u003e= 4.4.0, \u003c 4.4.22"
},
{
"version_value": "\u003e= 4.3.0, \u003c 4.3.23"
},
{
"version_value": "\u003e= 4.2.0, \u003c 4.2.27"
},
{
"version_value": "\u003e= 4.1.0, \u003c 4.1.30"
},
{
"version_value": "\u003e= 4.0.0, \u003c 4.0.30"
},
{
"version_value": "\u003e= 3.9.0, \u003c 3.9.31"
},
{
"version_value": "\u003e= 3.8.0, \u003c 3.8.33"
},
{
"version_value": "\u003e= 3.7.0, \u003c 3.7.33"
}
]
}
}
]
},
"vendor_name": "WordPress"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c",
"refsource": "CONFIRM",
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c"
},
{
"name": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates",
"refsource": "MISC",
"url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates"
},
{
"name": "DSA-4677",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4677"
}
]
},
"source": {
"advisory": "GHSA-4mhg-j6fx-5g3c",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-11025",
"datePublished": "2020-04-30T22:10:11.000Z",
"dateReserved": "2020-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:21:14.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11027 (GCVE-0-2020-11027)
Vulnerability from cvelistv5 – Published: 2020-04-30 00:00 – Updated: 2024-08-04 11:21
VLAI?
Title
Password reset links invalidation issue in WordPress
Summary
In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
Severity ?
6.1 (Medium)
CWE
- CWE-672 - Operation on a Resource after Expiration or Release
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPress | WordPress |
Affected:
>= 5.4.0, < 5.4.1
Affected: >= 5.3.0, < 5.3.3 Affected: >= 5.2.0, < 5.2.6 Affected: >= 5.1.0, < 5.1.5 Affected: >= 5.0.0, < 5.0.9 Affected: >= 4.9.0, < 4.9.14 Affected: >= 4.8.0, < 4.8.13 Affected: >= 4.7.0, < 4.7.17 Affected: >= 4.6.0, < 4.6.18 Affected: >= 4.5.0, < 4.5.21 Affected: >= 4.4.0, < 4.4.22 Affected: >= 4.3.0, < 4.3.23 Affected: >= 4.2.0, < 4.2.27 Affected: >= 4.1.0, < 4.1.30 Affected: >= 4.0.0, < 4.0.30 Affected: >= 3.9.0, < 3.9.31 Affected: >= 3.8.0, < 3.8.33 Affected: >= 3.7.0, < 3.7.33 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:14.307Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ww7v-jg8c-q6jw"
},
{
"name": "DSA-4677",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4677"
},
{
"name": "[debian-lts-announce] 20200511 [SECURITY] [DLA 2208-1] wordpress security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/173034/WordPress-Theme-Medic-1.0.0-Weak-Password-Recovery-Mechanism.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WordPress",
"vendor": "WordPress",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.4.0, \u003c 5.4.1"
},
{
"status": "affected",
"version": "\u003e= 5.3.0, \u003c 5.3.3"
},
{
"status": "affected",
"version": "\u003e= 5.2.0, \u003c 5.2.6"
},
{
"status": "affected",
"version": "\u003e= 5.1.0, \u003c 5.1.5"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.9"
},
{
"status": "affected",
"version": "\u003e= 4.9.0, \u003c 4.9.14"
},
{
"status": "affected",
"version": "\u003e= 4.8.0, \u003c 4.8.13"
},
{
"status": "affected",
"version": "\u003e= 4.7.0, \u003c 4.7.17"
},
{
"status": "affected",
"version": "\u003e= 4.6.0, \u003c 4.6.18"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.21"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.22"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.23"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.27"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.30"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.30"
},
{
"status": "affected",
"version": "\u003e= 3.9.0, \u003c 3.9.31"
},
{
"status": "affected",
"version": "\u003e= 3.8.0, \u003c 3.8.33"
},
{
"status": "affected",
"version": "\u003e= 3.7.0, \u003c 3.7.33"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-672",
"description": "CWE-672: Operation on a Resource after Expiration or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-20T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates"
},
{
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ww7v-jg8c-q6jw"
},
{
"name": "DSA-4677",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4677"
},
{
"name": "[debian-lts-announce] 20200511 [SECURITY] [DLA 2208-1] wordpress security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html"
},
{
"url": "http://packetstormsecurity.com/files/173034/WordPress-Theme-Medic-1.0.0-Weak-Password-Recovery-Mechanism.html"
}
],
"source": {
"advisory": "GHSA-ww7v-jg8c-q6jw",
"discovery": "UNKNOWN"
},
"title": "Password reset links invalidation issue in WordPress"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-11027",
"datePublished": "2020-04-30T00:00:00.000Z",
"dateReserved": "2020-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:21:14.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16781 (GCVE-0-2019-16781)
Vulnerability from cvelistv5 – Published: 2019-12-26 17:00 – Updated: 2024-08-05 01:24
VLAI?
Title
Stored cross-site scripting (XSS) in WordPress block editor
Summary
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.
Severity ?
5.8 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.284Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9976"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/731301"
},
{
"name": "20200108 [SECURITY] [DSA 4599-1] wordpress security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2020/Jan/8"
},
{
"name": "DSA-4599",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4599"
},
{
"name": "DSA-4677",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4677"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WordPress",
"vendor": "WordPress",
"versions": [
{
"lessThan": "5.3.1",
"status": "affected",
"version": "\u003c 5.3.1",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-06T12:06:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9976"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/731301"
},
{
"name": "20200108 [SECURITY] [DSA 4599-1] wordpress security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2020/Jan/8"
},
{
"name": "DSA-4599",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4599"
},
{
"name": "DSA-4677",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4677"
}
],
"source": {
"advisory": "GHSA-pg4x-64rh-3c9v",
"discovery": "UNKNOWN"
},
"title": "Stored cross-site scripting (XSS) in WordPress block editor",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2019-16781",
"STATE": "PUBLIC",
"TITLE": "Stored cross-site scripting (XSS) in WordPress block editor"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "\u003c 5.3.1",
"version_value": "5.3.1"
}
]
}
}
]
},
"vendor_name": "WordPress"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9976",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9976"
},
{
"name": "https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/",
"refsource": "MISC",
"url": "https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/"
},
{
"name": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v",
"refsource": "CONFIRM",
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v"
},
{
"name": "https://hackerone.com/reports/731301",
"refsource": "MISC",
"url": "https://hackerone.com/reports/731301"
},
{
"name": "20200108 [SECURITY] [DSA 4599-1] wordpress security update",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2020/Jan/8"
},
{
"name": "DSA-4599",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4599"
},
{
"name": "DSA-4677",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4677"
}
]
},
"source": {
"advisory": "GHSA-pg4x-64rh-3c9v",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2019-16781",
"datePublished": "2019-12-26T17:00:17.000Z",
"dateReserved": "2019-09-24T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:24:48.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16780 (GCVE-0-2019-16780)
Vulnerability from cvelistv5 – Published: 2019-12-26 16:50 – Updated: 2024-08-05 01:24
VLAI?
Title
Stored cross-site scripting (XSS) in WordPress block editor
Summary
WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.
Severity ?
5.8 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:47.245Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9976"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-x3wp-h3qx-9w94"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/WordPress/wordpress-develop/commit/505dd6a20b6fc3d06130018c1caeff764248c29e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/738644"
},
{
"name": "20200108 [SECURITY] [DSA 4599-1] wordpress security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2020/Jan/8"
},
{
"name": "DSA-4599",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4599"
},
{
"name": "DSA-4677",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4677"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WordPress",
"vendor": "WordPress",
"versions": [
{
"lessThan": "5.3.1",
"status": "affected",
"version": "\u003c 5.3.1",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-06T12:06:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9976"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-x3wp-h3qx-9w94"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WordPress/wordpress-develop/commit/505dd6a20b6fc3d06130018c1caeff764248c29e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/738644"
},
{
"name": "20200108 [SECURITY] [DSA 4599-1] wordpress security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2020/Jan/8"
},
{
"name": "DSA-4599",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4599"
},
{
"name": "DSA-4677",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4677"
}
],
"source": {
"advisory": "GHSA-x3wp-h3qx-9w94",
"discovery": "UNKNOWN"
},
"title": "Stored cross-site scripting (XSS) in WordPress block editor",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2019-16780",
"STATE": "PUBLIC",
"TITLE": "Stored cross-site scripting (XSS) in WordPress block editor"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "\u003c 5.3.1",
"version_value": "5.3.1"
}
]
}
}
]
},
"vendor_name": "WordPress"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9976",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9976"
},
{
"name": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-x3wp-h3qx-9w94",
"refsource": "CONFIRM",
"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-x3wp-h3qx-9w94"
},
{
"name": "https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/",
"refsource": "MISC",
"url": "https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/"
},
{
"name": "https://github.com/WordPress/wordpress-develop/commit/505dd6a20b6fc3d06130018c1caeff764248c29e",
"refsource": "MISC",
"url": "https://github.com/WordPress/wordpress-develop/commit/505dd6a20b6fc3d06130018c1caeff764248c29e"
},
{
"name": "https://hackerone.com/reports/738644",
"refsource": "MISC",
"url": "https://hackerone.com/reports/738644"
},
{
"name": "20200108 [SECURITY] [DSA 4599-1] wordpress security update",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2020/Jan/8"
},
{
"name": "DSA-4599",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4599"
},
{
"name": "DSA-4677",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4677"
}
]
},
"source": {
"advisory": "GHSA-x3wp-h3qx-9w94",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2019-16780",
"datePublished": "2019-12-26T16:50:13.000Z",
"dateReserved": "2019-09-24T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:24:47.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CERTFR-2024-AVI-0516
Vulnerability from certfr_avis - Published: 2024-06-25 - Updated: 2024-06-25
De multiples vulnérabilités ont été découvertes dans WordPress. Elles permettent à un attaquant de provoquer une injection de code indirecte à distance (XSS) et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WordPress versions ant\u00e9rieures \u00e0 6.5.5",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [],
"initial_release_date": "2024-06-25T00:00:00",
"last_revision_date": "2024-06-25T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0516",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-06-25T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans WordPress. Elles permettent \u00e0 un attaquant de provoquer une injection de code indirecte \u00e0 distance (XSS) et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans WordPress",
"vendor_advisories": [
{
"published_at": "2024-06-24",
"title": "Bulletin de s\u00e9curit\u00e9 WordPress",
"url": "https://wordpress.org/news/2024/06/wordpress-6-5-5/"
}
]
}
CERTFR-2024-AVI-0285
Vulnerability from certfr_avis - Published: 2024-04-10 - Updated: 2024-04-10
Une vulnérabilité a été découverte dans WordPress. Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WordPress versions ant\u00e9rieures \u00e0 6.5.2",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2024-04-10T00:00:00",
"last_revision_date": "2024-04-10T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0285",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-04-10T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans \u003cspan\nclass=\"textit\"\u003eWordPress\u003c/span\u003e. Elle permet \u00e0 un attaquant de provoquer\nune injection de code indirecte \u00e0 distance (XSS).\n",
"title": "Vuln\u00e9rabilit\u00e9 dans WordPress",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 WordPress du 09 avril 2024",
"url": "https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/"
}
]
}
CERTFR-2023-AVI-1003
Vulnerability from certfr_avis - Published: 2023-12-07 - Updated: 2023-12-07
Une vulnérabilité a été découverte dans WordPress. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WordPress versions ant\u00e9rieures \u00e0 6.4.2",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2023-12-07T00:00:00",
"last_revision_date": "2023-12-07T00:00:00",
"links": [],
"reference": "CERTFR-2023-AVI-1003",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-12-07T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans WordPress. Elle permet \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans WordPress",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 WordPress wordpress-6-4-2 du 06 d\u00e9cembre 2023",
"url": "https://wordpress.org/news/2023/12/wordpress-6-4-2-maintenance-security-release/"
}
]
}
CERTFR-2023-AVI-0842
Vulnerability from certfr_avis - Published: 2023-10-13 - Updated: 2023-10-13
De multiples vulnérabilités ont été découvertes dans WordPress. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |
|---|---|---|---|
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WordPress versions ant\u00e9rieures \u00e0 6.3.2",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2023-10-13T00:00:00",
"last_revision_date": "2023-10-13T00:00:00",
"links": [],
"reference": "CERTFR-2023-AVI-0842",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-10-13T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eWordPress\u003c/span\u003e. Certaines d\u0027entre elles permettent \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un\nd\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des\ndonn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans WordPress",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 WordPress wordpress-6-3-2-maintenance-and-security-release du 12 octobre 2023",
"url": "https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/"
}
]
}
CERTFR-2023-AVI-0402
Vulnerability from certfr_avis - Published: 2023-05-22 - Updated: 2023-05-22
Une vulnérabilité a été découverte dans Wordpress. Elle permet à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WordPress versions ant\u00e9rieures \u00e0 6.2.2",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2023-05-22T00:00:00",
"last_revision_date": "2023-05-22T00:00:00",
"links": [],
"reference": "CERTFR-2023-AVI-0402",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-05-22T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Wordpress. Elle permet \u00e0 un\nattaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par\nl\u0027\u00e9diteur.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Wordpress",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Wordpress wordpress-6-2-2-security-release du 20 mai 2023",
"url": "https://wordpress.org/news/2023/05/wordpress-6-2-2-security-release/"
}
]
}
CERTFR-2023-AVI-0386
Vulnerability from certfr_avis - Published: 2023-05-17 - Updated: 2023-05-17
De multiples vulnérabilités ont été découvertes dans WordPress. Certaines d'entre elles permettent à un attaquant de provoquer un contournement de la politique de sécurité, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |
|---|---|---|---|
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WordPress versions ant\u00e9rieures \u00e0 6.2.1",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2023-05-17T00:00:00",
"last_revision_date": "2023-05-17T00:00:00",
"links": [],
"reference": "CERTFR-2023-AVI-0386",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-05-17T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans WordPress.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un\ncontournement de la politique de s\u00e9curit\u00e9, une atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0\ndistance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans WordPress",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 WordPress wordpress-6-2-1-maintenance-security-release du 16 mai 2023",
"url": "https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/"
}
]
}
CERTFR-2022-AVI-923
Vulnerability from certfr_avis - Published: 2022-10-18 - Updated: 2022-10-18
De multiples vulnérabilités ont été découvertes dans WordPress. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WordPress versions ant\u00e9rieures \u00e0 6.0.3",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2022-10-18T00:00:00",
"last_revision_date": "2022-10-18T00:00:00",
"links": [],
"reference": "CERTFR-2022-AVI-923",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-10-18T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans WordPress.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un contournement de la\npolitique de s\u00e9curit\u00e9 et une injection de code indirecte \u00e0 distance\n(XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans WordPress",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 WordPress wordpress-6-0-3-security-release du 17 octobre 2022",
"url": "https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/"
}
]
}
CERTFR-2022-AVI-251
Vulnerability from certfr_avis - Published: 2022-03-17 - Updated: 2022-03-17
De multiples vulnérabilités ont été découvertes dans WordPress. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WordPress versions ant\u00e9rieures \u00e0 5.9.2",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2022-03-17T00:00:00",
"last_revision_date": "2022-03-17T00:00:00",
"links": [],
"reference": "CERTFR-2022-AVI-251",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-03-17T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans WordPress. Elles\npermettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur et une injection de code indirecte \u00e0 distance\n(XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans WordPress",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 WordPress 5.9.2 du 16 mars 2022",
"url": "https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/"
}
]
}
CERTFR-2022-AVI-010
Vulnerability from certfr_avis - Published: 2022-01-07 - Updated: 2022-01-11
De multiples vulnérabilités ont été découvertes dans WordPress. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WordPress versions ant\u00e9rieures \u00e0 5.8.3",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-21664",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21664"
},
{
"name": "CVE-2022-21661",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21661"
},
{
"name": "CVE-2022-21662",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21662"
},
{
"name": "CVE-2022-21663",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21663"
}
],
"initial_release_date": "2022-01-07T00:00:00",
"last_revision_date": "2022-01-11T00:00:00",
"links": [],
"reference": "CERTFR-2022-AVI-010",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-01-07T00:00:00.000000"
},
{
"description": "Ajout de quatre identifiants CVE.",
"revision_date": "2022-01-11T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans WordPress. Elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance et une injection de code indirecte \u00e0 distance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans WordPress",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 WordPress du 06 janvier 2022",
"url": "https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/"
}
]
}
CERTFR-2021-AVI-866
Vulnerability from certfr_avis - Published: 2021-11-12 - Updated: 2021-11-12
Une vulnérabilité a été découverte dans WordPress. Elle permet à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WordPress versions ant\u00e9rieures \u00e0 5.8.2",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2021-11-12T00:00:00",
"last_revision_date": "2021-11-12T00:00:00",
"links": [],
"reference": "CERTFR-2021-AVI-866",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-11-12T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans WordPress. Elle permet \u00e0 un\nattaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par\nl\u0027\u00e9diteur.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans WordPress",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 WordPress du 11 novembre 2021",
"url": "https://wordpress.org/news/2021/11/wordpress-5-8-2-security-and-maintenance-release/"
}
]
}
CERTFR-2021-AVI-686
Vulnerability from certfr_avis - Published: 2021-09-09 - Updated: 2021-09-09
De multiples vulnérabilités ont été découvertes dans WordPress. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WordPress versions ant\u00e9rieures \u00e0 5.8.1",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2021-09-09T00:00:00",
"last_revision_date": "2021-09-09T00:00:00",
"links": [],
"reference": "CERTFR-2021-AVI-686",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-09-09T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans WordPress. Elles\npermettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et\nune injection de code indirecte \u00e0 distance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans WordPress",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 WordPress 5.8.1 du 08 septembre 2021",
"url": "https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/"
}
]
}
CERTFR-2021-AVI-378
Vulnerability from certfr_avis - Published: 2021-05-14 - Updated: 2021-05-14
De multiples vulnérabilités ont été découvertes dans WordPress. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WordPress versions ant\u00e9rieures \u00e0 5.7.2",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-36326",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36326"
},
{
"name": "CVE-2018-19296",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19296"
}
],
"initial_release_date": "2021-05-14T00:00:00",
"last_revision_date": "2021-05-14T00:00:00",
"links": [],
"reference": "CERTFR-2021-AVI-378",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-05-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans WordPress. Elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans WordPress",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 WordPress du 13 mai 2021",
"url": "https://wordpress.org/news/2021/05/wordpress-5-7-2-security-release/"
}
]
}
CERTFR-2021-AVI-270
Vulnerability from certfr_avis - Published: 2021-04-15 - Updated: 2021-04-15
De multiples vulnérabilités ont été découvertes dans Wordpress. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WordPress versions ant\u00e9rieures \u00e0 5.7.1",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2021-04-15T00:00:00",
"last_revision_date": "2021-04-15T00:00:00",
"links": [],
"reference": "CERTFR-2021-AVI-270",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-04-15T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Wordpress. Elles\npermettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Wordpress",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Wordpress du 15 avril 2021",
"url": "https://wordpress.org/news/2021/04/wordpress-5-7-1-security-and-maintenance-release/"
}
]
}
CERTFR-2020-AVI-364
Vulnerability from certfr_avis - Published: 2020-06-11 - Updated: 2020-06-11
De multiples vulnérabilités ont été découvertes dans WordPress. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une atteinte à la confidentialité des données et une élévation de privilèges.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WordPress version 5.3 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
},
{
"description": "WordPress versions 5.4.x ant\u00e9rieures \u00e0 5.4.2",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2020-06-11T00:00:00",
"last_revision_date": "2020-06-11T00:00:00",
"links": [],
"reference": "CERTFR-2020-AVI-364",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-06-11T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans WordPress.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un\nprobl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es et une \u00e9l\u00e9vation de privil\u00e8ges.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans WordPress",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 WordPress 5.4.2 du 10 juin 2020",
"url": "https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/"
}
]
}
CERTFR-2020-AVI-271
Vulnerability from certfr_avis - Published: 2020-05-06 - Updated: 2020-05-06
De multiples vulnérabilités ont été découvertes dans WordPress. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| WordPress | WordPress | WordPress 5.x versions antérieures à 5.4.1, 5.3.3, 5.2.6, 5.1.5, 5.0.9 | ||
| WordPress | WordPress | WordPress 3.x versions antérieures à 3.9.31, 3.8.33, 3.7.33 | ||
| WordPress | WordPress | WordPress 4.x versions antérieures à 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WordPress 5.x versions ant\u00e9rieures \u00e0 5.4.1, 5.3.3, 5.2.6, 5.1.5, 5.0.9",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
},
{
"description": "WordPress 3.x versions ant\u00e9rieures \u00e0 3.9.31, 3.8.33, 3.7.33",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
},
{
"description": "WordPress 4.x versions ant\u00e9rieures \u00e0 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2020-05-06T00:00:00",
"last_revision_date": "2020-05-06T00:00:00",
"links": [],
"reference": "CERTFR-2020-AVI-271",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-05-06T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans WordPress. Elles\npermettent \u00e0 un attaquant de provoquer un contournement de la politique\nde s\u00e9curit\u00e9, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une\ninjection de code indirecte \u00e0 distance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans WordPress",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 WordPress du 29 avril 2020",
"url": "https://wordpress.org/news/2020/04/wordpress-5-4-1/"
}
]
}
CERTFR-2019-AVI-631
Vulnerability from certfr_avis - Published: 2019-12-13 - Updated: 2019-12-13
De multiples vulnérabilités ont été découvertes dans WordPress. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, un contournement de la politique de sécurité et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WordPress versions 5.2.x et ant\u00e9rieures sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
},
{
"description": "WordPress versions 5.3.x ant\u00e9rieures \u00e0 5.3.1",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2019-12-13T00:00:00",
"last_revision_date": "2019-12-13T00:00:00",
"links": [
{
"title": "Bulletin de s\u00e9curit\u00e9 WordPress 5.3.1 du 13 d\u00e9cembre 2019",
"url": "https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/"
}
],
"reference": "CERTFR-2019-AVI-631",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2019-12-13T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans WordPress. Elles\npermettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, un contournement de la politique de s\u00e9curit\u00e9 et\nune injection de code indirecte \u00e0 distance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans WordPress",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 WordPress 5.3.1 du 11 d\u00e9cembre 2019",
"url": null
}
]
}
CERTFR-2019-AVI-504
Vulnerability from certfr_avis - Published: 2019-10-15 - Updated: 2019-10-15
De multiples vulnérabilités ont été corrigées dans Wordpress . Elles permettent à un attaquant de provoquer une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WordPress versions 5.2.3 et ant\u00e9rieures",
"product": {
"name": "WordPress",
"vendor": {
"name": "WordPress",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2019-10-15T00:00:00",
"last_revision_date": "2019-10-15T00:00:00",
"links": [],
"reference": "CERTFR-2019-AVI-504",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2019-10-15T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans Wordpress . Elles\npermettent \u00e0 un attaquant de provoquer une injection de code indirecte \u00e0\ndistance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Wordpress",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Wordpress du 14 octobre 2019",
"url": "https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/"
}
]
}