CVE-2021-39202 — HIGH (7.6)

Vulnerability Description

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8.

CVSS Score

7.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Wordpress	Wordpress	5.8

Related Weaknesses (CWE)

CWE-79

References

https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-fr6h-385Third Party Advisory
https://hackerone.com/reports/1222797Permissions Required
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-fr6h-385Third Party Advisory
https://hackerone.com/reports/1222797Permissions Required

FAQ

What is CVE-2021-39202?

CVE-2021-39202 is a vulnerability with a CVSS score of 7.6 (HIGH). WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has...

How severe is CVE-2021-39202?

CVE-2021-39202 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-39202?

Check the references section above for vendor advisories and patch information. Affected products include: Wordpress Wordpress.