Candidate: CVE-2022-21662
PublicDate: 2022-01-06 23:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21662
 https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
 https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w
 https://hackerone.com/reports/425342
 https://www.debian.org/security/2022/dsa-5039
Description:
 WordPress is a free and open-source content management system written in
 PHP and paired with a MariaDB database. Low-privileged authenticated users
 (like author) in WordPress core are able to execute JavaScript/perform
 stored XSS attack, which can affect high-privileged users. This has been
 patched in WordPress version 5.8.3. Older affected versions are also fixed
 via security release, that go back till 3.7.37. We strongly recommend that
 you keep auto-updates enabled. There are no known workarounds for this
 issue.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003243
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N [5.4 MEDIUM]


Patches_wordpress:
upstream_wordpress: released (5.8.3+dfsg1-1)
trusty_wordpress: ignored (out of standard support)
xenial_wordpress: ignored (out of standard support)
bionic_wordpress: needs-triage
focal_wordpress: needs-triage
hirsute_wordpress: ignored (reached end-of-life)
impish_wordpress: needs-triage
jammy_wordpress: not-affected (5.8.3+dfsg1-1ubuntu1)
devel_wordpress: not-affected (5.8.3+dfsg1-1ubuntu1)