CVE-2019-16781
Published: 26 December 2019
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.
Priority
Status
Package | Release | Status |
---|---|---|
wordpress Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
groovy |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
hirsute |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
impish |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
jammy |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
kinetic |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
lunar |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
mantic |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.3.2+dfsg1-1)
|
|
xenial |
Needs triage
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.4 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
References
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v
- https://hackerone.com/reports/731301
- https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
- https://wpvulndb.com/vulnerabilities/9976
- https://www.cve.org/CVERecord?id=CVE-2019-16781
- NVD
- Launchpad
- Debian