Lucene search

[email protected]NVD:CVE-2022-33994

HistoryJul 30, 2022 - 8:15 p.m.

CVE-2022-33994

2022-07-3020:15:08

CWE-79

[email protected]

web.nvd.nist.gov

wordpress

gutenberg

stored xss

contributor role

insert from url

svg document

security relevance

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

The Gutenberg plugin through 13.7.3 for WordPress allows stored XSS by the Contributor role via an SVG document to the “Insert from URL” feature. NOTE: the XSS payload does not execute in the context of the WordPress instance’s domain; however, analogous attempts by low-privileged users to reference SVG documents are blocked by some similar products, and this behavioral difference might have security relevance to some WordPress site administrators.

Affected configurations

Nvd

Node

gutenberg_projectgutenbergRange≤13.7.3wordpress

VendorProductVersionCPE
gutenberg_projectgutenberg*cpe:2.3:a:gutenberg_project:gutenberg:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
gutenberg_project	gutenberg	*	cpe:2.3:a:gutenberg_project:gutenberg::::::wordpress::*

References

blog.jitendrapatro.me/cve-2022-33994-stored-xss-in-wordpress/

patchstack.com/articles/patchstack-weekly-svg-xss-reported-in-gutenberg/

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

Related for NVD:CVE-2022-33994

prion1 cve1 patchstack1 cvelist1