CVE-2019-16781
Description
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.
CWE
- CWE-79 — CWE-79 Cross-site Scripting (XSS)
Affected
- WordPress / WordPress — v=< 5.3.1 <5.3.1 [affected]
CVSS
- 3.1 score=5.8 severity=MEDIUM
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
References
- https://wpvulndb.com/vulnerabilities/9976 x_refsource_MISC
- https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ x_refsource_MISC
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v x_refsource_CONFIRM
- https://hackerone.com/reports/731301 x_refsource_MISC
- https://seclists.org/bugtraq/2020/Jan/8 mailing-list, x_refsource_BUGTRAQ
- https://www.debian.org/security/2020/dsa-4599 vendor-advisory, x_refsource_DEBIAN
- https://www.debian.org/security/2020/dsa-4677 vendor-advisory, x_refsource_DEBIAN
Source
cvelistV5-main/cves/2019/16xxx/CVE-2019-16781.json