3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
7.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
0.001 Low
EPSS
Percentile
43.7%
WordPress is a free and open-source content management system written in
PHP and paired with a MySQL or MariaDB database. ### Impact The issue
allows an authenticated but low-privileged user (like contributor/author)
to execute XSS in the editor. This bypasses the restrictions imposed on
users who do not have the permission to post unfiltered_html
. ### Patches
This has been patched in WordPress 5.8, and will be pushed to older
versions via minor releases (automatic updates). It’s strongly recommended
that you keep auto-updates enabled to receive the fix. ### References
https://wordpress.org/news/category/releases/
https://hackerone.com/reports/1142140 ### For more information If you have
any questions or comments about this advisory: * Open an issue in
HackerOne
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
7.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
0.001 Low
EPSS
Percentile
43.7%