Description
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.
References (7)
Core 7
Core References
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9976
Release Notes, Third Party Advisory x_refsource_misc
https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
Third Party Advisory x_refsource_confirm
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/731301
Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2020/Jan/8
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2020/dsa-4599
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2020/dsa-4677
Scores
CVSS v3
5.8
EPSS
0.0349
EPSS Percentile
87.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
Details
CWE
CWE-79
Status
published
Products (3)
debian/debian_linux
9.0
debian/debian_linux
10.0
wordpress/wordpress
< 5.3.1
Published
Dec 26, 2019
Tracked Since
Feb 18, 2026