Lucene search

[email protected]CVE-2019-16780

HistoryDec 26, 2019 - 5:15 p.m.

CVE-2019-16780

2019-12-2617:15:13

CWE-79

[email protected]

web.nvd.nist.gov

283

cve-2019-16780

wordpress

xss

vulnerability

patch

nvd

security

update

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

5.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

6.8 Medium

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

52.7%

JSON

WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.

Affected configurations

Vulners

NVD

Node

wordpresswordpressRange<5.3.1

VendorProductVersionCPE
wordpresswordpress*cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
wordpress	wordpress	*	cpe:2.3:a:wordpress:wordpress::::::::

CNA Affected

[
  {
    "product": "WordPress",
    "vendor": "WordPress",
    "versions": [
      {
        "lessThan": "5.3.1",
        "status": "affected",
        "version": "< 5.3.1",
        "versionType": "custom"
      }
    ]
  }
]