SecPod SCAP Repo, a repository of SCAP Content (CVE, CCE, CPE, CWE, OVAL and XCCDF)

Download | Alert*

CVE

CVE-2019-16781

In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:		CVSS V2 Severity:
CVSS Score : 5.4		CVSS Score : 3.5
Exploit Score: 2.3		Exploit Score: 6.8
Impact Score: 2.7		Impact Score: 2.9

CVSS V3 Metrics:		CVSS V2 Metrics:
Attack Vector: NETWORK		Access Vector: NETWORK
Attack Complexity: LOW		Access Complexity: MEDIUM
Privileges Required: LOW		Authentication: SINGLE
User Interaction: REQUIRED		Confidentiality: NONE
Scope: CHANGED		Integrity: PARTIAL
Confidentiality: LOW		Availability: NONE
Integrity: LOW
Availability: NONE

Reference:

https://seclists.org/bugtraq/2020/Jan/8

DSA-4599

DSA-4677

https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v

https://hackerone.com/reports/731301

https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

https://wpvulndb.com/vulnerabilities/9976


30479



423868



248678



909



195426



282