Lucene search

PRIOn knowledge basePRION:CVE-2019-16781

HistoryDec 26, 2019 - 5:15 p.m.

Cross site scripting

2019-12-2617:15:00

PRIOn knowledge base

www.prio-n.com

5.5 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.7%

JSON

In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.

CPENameOperatorVersion
debian_linuxeq9.0
debian_linuxeq10.0
wordpresslt5.3.1

Name	Operator	Version
debian_linux	eq	9.0
debian_linux	eq	10.0
wordpress	lt	5.3.1

References

github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v

hackerone.com/reports/731301

seclists.org/bugtraq/2020/Jan/8

wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

wpvulndb.com/vulnerabilities/9976

www.debian.org/security/2020/dsa-4599

www.debian.org/security/2020/dsa-4677