← back
CVE-2019-16781

Stored cross-site scripting (XSS) in WordPress block editor

CVSS 5.8 MEDIUMEPSS 1.4%CWE-79
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.8EPSS 1.4%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
26 Dec 2019Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
Affected products
WordPress · WordPress

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9vhttps://hackerone.com/reports/731301https://seclists.org/bugtraq/2020/Jan/8https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/https://wpvulndb.com/vulnerabilities/9976https://www.debian.org/security/2020/dsa-4599https://www.debian.org/security/2020/dsa-4677