WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress)
References
Link | Resource |
---|---|
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-wh69-25hr-h94v | Third Party Advisory |
https://hackerone.com/reports/1142140 | Permissions Required |
https://www.debian.org/security/2021/dsa-4985 | Third Party Advisory |
Configurations
History
14 Dec 2021, 21:20
Type | Values Removed | Values Added |
---|---|---|
References | (DEBIAN) https://www.debian.org/security/2021/dsa-4985 - Third Party Advisory | |
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
14 Oct 2021, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
27 Sep 2021, 18:36
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-wh69-25hr-h94v - Third Party Advisory | |
References | (MISC) https://hackerone.com/reports/1142140 - Permissions Required | |
CVSS |
v2 : v3 : |
v2 : 3.5
v3 : 5.4 |
CPE | cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* |
09 Sep 2021, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-09-09 22:15
Updated : 2024-02-04 22:08
NVD link : CVE-2021-39201
Mitre link : CVE-2021-39201
CVE.ORG link : CVE-2021-39201
JSON object : View
Products Affected
wordpress
- wordpress
debian
- debian_linux
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')