CVE-2020-4046

Name of the Vulnerable Software and Affected Versions WordPress versions prior to 5.4.2 WordPress versions 5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34

Description The issue is related to the embed block in the WordPress block editor, which allows users with low privileges to inject unfiltered HTML. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations For WordPress versions prior to 5.4.2, update to version 5.4.2 or later to resolve the issue. For WordPress versions 5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34, update to the corresponding minor release or later to resolve the issue. As a temporary workaround, consider restricting the use of the embed block in the block editor to minimize the risk of exploitation.