JVN#09409909: Multiple vulnerabilities in WordPress

2022-11-0800:00:00

Japan Vulnerability Notes

jvn.jp

155

wordpress

vulnerabilities

stored cross-site scripting

improper authentication

arbitrary script

remote attacker

email address

update

version 6.0.3

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.002 Low

EPSS

Percentile

57.2%

JSON

WordPress contains multiple vulnerabilities listed below which are to the WordPress Post by Email Feature.

Stored Cross-site scripting (CWE-79) - CVE-2022-43497

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
CVSS v2	AV:N/AC:M/Au:N/C:N/I:P/A:N	Base Score: 4.3

Stored Cross-site scripting (CWE-79) - CVE-2022-43500

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
CVSS v2	AV:N/AC:M/Au:N/C:N/I:P/A:N	Base Score: 4.3

Improper authentication (CWE-287) - CVE-2022-43504

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	Base Score: 5.3
CVSS v2	AV:N/AC:L/Au:N/C:P/I:N/A:N	Base Score: 5.0

Impact

An arbitrary script may be executed on the web browser of the user who is accessing the website using the product - CVE-2022-43497, CVE-2022-43500
A remote unauthenticated attacker may obtain the email address of the user who posted a blog using the WordPress Post by Email Feature - CVE-2022-43504

Solution

Update the Software
Update to the latest version according to the information provided by the developer.
According to the developer, these vulnerabilities have been fixed in version 6.0.3.
The developer also provides new patched releases for all versions since 3.7.