Unrated severityNVD Advisory· Published Dec 26, 2019· Updated Aug 5, 2024
Stored cross-site scripting (XSS) in WordPress block editor
CVE-2019-16780
Description
WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2>=3.7, <=5.3+ 1 more
- (no CPE)range: >=3.7, <=5.3
- (no CPE)range: < 5.3.1
Patches
Vulnerability mechanics
References
8- www.debian.org/security/2020/dsa-4599mitrevendor-advisoryx_refsource_DEBIAN
- www.debian.org/security/2020/dsa-4677mitrevendor-advisoryx_refsource_DEBIAN
- github.com/WordPress/wordpress-develop/commit/505dd6a20b6fc3d06130018c1caeff764248c29emitrex_refsource_MISC
- github.com/WordPress/wordpress-develop/security/advisories/GHSA-x3wp-h3qx-9w94mitrex_refsource_CONFIRM
- hackerone.com/reports/738644mitrex_refsource_MISC
- seclists.org/bugtraq/2020/Jan/8mitremailing-listx_refsource_BUGTRAQ
- wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/9976mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.