Unrated severityNVD Advisory· Published Oct 16, 2024· Updated Apr 8, 2026
WordPress Core < 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via use of the_meta(); function
CVE-2022-4973
Description
WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.
Affected products
4- osv-coords2 versions
< 3.6.2+ 1 more
- (no CPE)range: < 3.6.2
- (no CPE)range: < 3.6.2
Patches
Vulnerability mechanics
References
4- core.trac.wordpress.org/changeset/53961mitre
- wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/mitre
- www.wordfence.com/blog/2022/08/wordpress-core-6-0-2-security-maintenance-release-what-you-need-to-know/mitre
- www.wordfence.com/threat-intel/vulnerabilities/id/b5582e89-83e6-4898-b9fe-09eddeb5f7aemitre
News mentions
0No linked articles in our index yet.