CVE-2019-16781
Published: 26 December 2019
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
wordpress Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| disco |
Ignored
(end of life)
|
|
| eoan |
Ignored
(end of life)
|
|
| focal |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
| groovy |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
| hirsute |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
| impish |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
| jammy |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
| kinetic |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
| lunar |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
| mantic |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.3.2+dfsg1-1)
|
|
| xenial |
Needs triage
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.4 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
References
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v
- https://hackerone.com/reports/731301
- https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
- https://wpvulndb.com/vulnerabilities/9976
- https://www.cve.org/CVERecord?id=CVE-2019-16781
- NVD
- Launchpad
- Debian