5.3

CVE-2022-43504

WordPress Core < 6.0.3 - Stored Cross-Site Scripting via wp-mail.php

WordPress Core < 6.0.3 - Information Disclosure (Email Address)

Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7.
Mögliche Gegenmaßnahme
WordPress: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
WordPress: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Weitere Schwachstelleninformationen
SystemWordPress Core
Produkt WordPress
Version * - 3.6.1
Version 3.7 - 3.7.39
Version 3.8 - 3.8.39
Version 3.9 - 3.9.37
Version 4.0 - 4.0.36
Version 4.1 - 4.1.36
Version 4.2 - 4.2.33
Version 4.3 - 4.3.29
Version 4.4 - 4.4.28
Version 4.5 - 4.5.27
Version 4.6 - 4.6.24
Version 4.7 - 4.7.24
Version 4.8 - 4.8.20
Version 4.9 - 4.9.21
Version 5.0 - 5.0.17
Version 5.1 - 5.1.14
Version 5.2 - 5.2.16
Version 5.3 - 5.3.13
Version 5.4 - 5.4.11
Version 5.5 - 5.5.10
Version 5.6 - 5.6.9
Version 5.7 - 5.7.7
Version 5.8 - 5.8.5
Version 5.9 - 5.9.4
Version 6.0 - 6.0.2
SystemWordPress Core
Produkt WordPress
Version * - 3.6.1
Version 3.7 - 3.7.39
Version 3.8 - 3.8.39
Version 3.9 - 3.9.37
Version 4.0 - 4.0.36
Version 4.1 - 4.1.36
Version 4.2 - 4.2.33
Version 4.3 - 4.3.29
Version 4.4 - 4.4.28
Version 4.5 - 4.5.27
Version 4.6 - 4.6.24
Version 4.7 - 4.7.24
Version 4.8 - 4.8.20
Version 4.9 - 4.9.21
Version 5.0 - 5.0.17
Version 5.1 - 5.1.14
Version 5.2 - 5.2.16
Version 5.3 - 5.3.13
Version 5.4 - 5.4.11
Version 5.5 - 5.5.10
Version 5.6 - 5.6.9
Version 5.7 - 5.7.7
Version 5.8 - 5.8.5
Version 5.9 - 5.9.4
Version 6.0 - 6.0.2
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WordpressWordpress Version < 3.7.40
WordpressWordpress Version >= 3.8 < 3.8.40
WordpressWordpress Version >= 3.9 < 3.9.39
WordpressWordpress Version >= 4.0 < 4.0.37
WordpressWordpress Version >= 4.1 < 4.1.37
WordpressWordpress Version >= 4.2 < 4.2.34
WordpressWordpress Version >= 4.3 < 4.3.30
WordpressWordpress Version >= 4.4 < 4.4.29
WordpressWordpress Version >= 4.5 < 4.5.28
WordpressWordpress Version >= 4.6 < 4.6.25
WordpressWordpress Version >= 4.7 < 4.7.25
WordpressWordpress Version >= 4.8 < 4.8.21
WordpressWordpress Version >= 4.9 < 4.9.22
WordpressWordpress Version >= 5.0 < 5.0.18
WordpressWordpress Version >= 5.1 < 5.1.15
WordpressWordpress Version >= 5.2 < 5.2.17
WordpressWordpress Version >= 5.3 < 5.3.14
WordpressWordpress Version >= 5.4 < 5.4.12
WordpressWordpress Version >= 5.5 < 5.5.11
WordpressWordpress Version >= 5.6 < 5.6.10
WordpressWordpress Version >= 5.7 < 5.7.8
WordpressWordpress Version >= 5.8 < 5.8.6
WordpressWordpress Version >= 5.9 < 5.9.5
WordpressWordpress Version >= 6.0 < 6.0.3
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 6.01% 0.903
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://wordpress.org/download/
Vendor Advisory
Product