CVE-2021-39202

WordPress/wordpress-develop

on github

Published

September 9, 2021

Severity

CVSS v3:

5.4 MEDIUM

CVSS v2:

3.5 LOW

Description

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8.

References

https://hackerone.com/reports/1222797
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-fr6h-3855-j297

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:wordpress:wordpress:5.8:beta2::::::	n/a	n/a	5.8
cpe:2.3:a:wordpress:wordpress:5.8:beta1::::::	n/a	n/a	5.8

External Links

NVD - CVE-2021-39202