Michal Bentkowski (Securitum)PATCHSTACK:095DB10129D3C26C74D65F7EE2F3C40DWordPress core <= 5.8 - Authenticated Cross-Site Scripting (XSS) vulnerability
0.001 Low
EPSS
Percentile
43.7%
Authenticated Cross-Site Scripting (XSS) vulnerability discovered by Michal Bentkowski (Securitum) in WordPress core block editor (versions <= 5.8).
The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have permission to post unfiltered_html.
Version update list: 5.8 updated to 5.8.1, 5.7.2 updated to 5.7.3, 5.7.1 updated to 5.7.3, 5.7 updated to 5.7.3, 5.6.4 updated to 5.6.5, 5.6.3 updated to 5.6.5, 5.6.2 updated to 5.6.5, 5.6.1 updated to 5.6.5, 5.6 updated to 5.6.5, 5.5.5 updated to 5.5.6, 5.5.4 updated to 5.5.6, 5.5.3 updated to 5.5.6, 5.5.2 updated to 5.5.6, 5.5.1 updated to 5.5.6, 5.5 updated to 5.5.6, 5.4.6 updated to 5.4.7, 5.4.5 updated to 5.4.7, 5.4.4 updated to 5.4.7, 5.4.3 updated to 5.4.7, 5.4.2 updated to 5.4.7, 5.4.1 updated to 5.4.7, 5.4 updated to 5.4.7
Solution
Update the WordPress to the latest available version (at least 5.8.1).
Related
