CVE-2021-39202
HIGHWordPress 5.8 beta 1 - Stored Cross-Site Scripting in Custom HTML Widget
Title source: llmDescription
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-fr6h-3855-j297
Permissions Required x_refsource_misc
https://hackerone.com/reports/1222797
Scores
CVSS v3
7.6
EPSS
0.0082
EPSS Percentile
74.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
wordpress/wordpress
5.8 beta1 (2 CPE variants)
Published
Sep 09, 2021
Tracked Since
Feb 18, 2026