CVE-2021-39201

EPSS 0.38%
Veröffentlicht 09.09.2021 22:15:09
Zuletzt bearbeitet 21.11.2024 06:18:53
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

WordPress Core 5.4 - 5.8 - Authenticated Stored Cross-Site Scripting

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress)

Mögliche Gegenmaßnahme

WordPress: Update to one of the following versions, or a newer patched version: 5.4.7, 5.5.6, 5.6.5, 5.7.3, 5.8.1

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 7

Weitere Schwachstelleninformationen

SystemWordPress Core

≫

Produkt WordPress

Version [5.4, 5.4.7)

Version [5.5, 5.5.6)

Version [5.6, 5.6.5)

Version [5.7, 5.7.3)

Version [5.8, 5.8.1)

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wordpress ≫ Wordpress Version >= 5.0 < 5.8

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.38%	0.586

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N
security-advisories@github.com	7.6	2.3	4.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://hackerone.com/reports/1142140

Permissions Required

https://www.debian.org/security/2021/dsa-4985

Third Party Advisory

https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-wh69-25hr-h94v

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/b801e7d9-0ca0-471e-a524-af19ea0d85be

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-39201

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-39201

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-39201

EUVD