CVE-2024-31111 WordPress Core < 6.5.5 - Cross Site Scripting (XSS) vulnerability

2024-06-2512:54:47

CWE-79

Patchstack

github.com

cve-2024-31111

wordpress

xss

vulnerability

cross-site scripting

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

AI Score

6.9

Confidence

High

EPSS

Percentile

9.1%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9.

CNA Affected

[
  {
    "vendor": "Automattic",
    "product": "WordPress",
    "versions": [
      {
        "status": "affected",
        "changes": [
          {
            "at": "6.5.5",
            "status": "unaffected"
          }
        ],
        "version": "6.5",
        "versionType": "custom",
        "lessThanOrEqual": "6.5.4"
      },
      {
        "status": "affected",
        "changes": [
          {
            "at": "6.4.5",
            "status": "unaffected"
          }
        ],
        "version": "6.4",
        "versionType": "custom",
        "lessThanOrEqual": "6.4.4"
      },
      {
        "status": "affected",
        "changes": [
          {
            "at": "6.3.5",
            "status": "unaffected"
          }
        ],
        "version": "6.3",
        "versionType": "custom",
        "lessThanOrEqual": "6.3.4"
      },
      {
        "status": "affected",
        "changes": [
          {
            "at": "6.2.6",
            "status": "unaffected"
          }
        ],
        "version": "6.2",
        "versionType": "custom",
        "lessThanOrEqual": "6.2.5"
      },
      {
        "status": "affected",
        "changes": [
          {
            "at": "6.1.7",
            "status": "unaffected"
          }
        ],
        "version": "6.1",
        "versionType": "custom",
        "lessThanOrEqual": "6.1.6"
      },
      {
        "status": "affected",
        "changes": [
          {
            "at": "6.0.9",
            "status": "unaffected"
          }
        ],
        "version": "6.0",
        "versionType": "custom",
        "lessThanOrEqual": "6.0.8"
      },
      {
        "status": "affected",
        "changes": [
          {
            "at": "5.9.10",
            "status": "unaffected"
          }
        ],
        "version": "5.9",
        "versionType": "custom",
        "lessThanOrEqual": "5.9.9"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

patchstack.com/database/vulnerability/wordpress/wordpress-wordpress-core-core-6-5-5-cross-site-scripting-xss-via-template-part-vulnerability?_s_id=cve

wordpress.org/news/2024/06/wordpress-6-5-5/