CVE-2021-39202

HIGH

Wordpress - XSS

Title source: rule

Description

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8.

References (2)

[Third Party Advisory] https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-fr6h-3855-j297

[Permissions Required] https://hackerone.com/reports/1222797

Scores

CVSS v3 7.6

EPSS 0.0082

EPSS Percentile 74.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (2)

wordpress/wordpress

Timeline

Published Sep 09, 2021

Tracked Since Feb 18, 2026