Jazzy2Fives

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 5.4.2 **Description** In WordPress, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public. This issue is related to the comment-template.php file in the wp-includes directory. **Recommendations** For versions prior to 5.4.2, update to version 5.4.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 5.4.2 WordPress versions 5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34 **Description** The issue is related to an unintended/open redirect when an arbitrary external link is crafted due to a problem in `wp validate redirect()` and URL sanitization. This could allow a remote attacker to access and compromise confidential data. **Recommendations** For WordPress versions prior to 5.4.2, update to version 5.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to external links until the update is applied.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 5.4.2 WordPress versions 5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34 **Description** The issue is related to the injection of JavaScript into media file attachment pages by authenticated users with upload permissions, such as authors. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. **Recommendations** For WordPress versions prior to 5.4.2, update to version 5.4.2 or later to resolve the issue. For WordPress versions 5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34, update to the respective minor release or later to resolve the issue. As a temporary workaround, consider restricting upload permissions for users to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 5.4.2 WordPress versions 5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34 **Description** The issue is related to the embed block in the WordPress block editor, which allows users with low privileges to inject unfiltered HTML. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For WordPress versions prior to 5.4.2, update to version 5.4.2 or later to resolve the issue. For WordPress versions 5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34, update to the corresponding minor release or later to resolve the issue. As a temporary workaround, consider restricting the use of the embed block in the block editor to minimize the risk of exploitation.