CVE-2021-39202

CVSS v3.1

7.6

High

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions WordPress versions 5.8 beta 1 through 5.8

Description The issue is related to improper handling of HTML input in the Custom HTML feature of the widgets editor, introduced in WordPress 5.8 beta 1. This leads to stored XSS in the custom HTML widget. The vulnerability allows a remote attacker to inject arbitrary web or HTML code.

Recommendations For WordPress versions 5.8 beta 1 through 5.8, update to WordPress 5.8 or later to resolve the issue. As a temporary workaround, consider disabling the Custom HTML feature in the widgets editor until a patch is available. Restrict access to the custom HTML widget to minimize the risk of exploitation. Avoid using the Custom HTML feature in the widgets editor until the issue is resolved.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2021-05132

BIT-WORDPRESS-2021-39202

BIT-WORDPRESS-MULTISITE-2021-39202

CVE-2021-39202

GHSA-FR6H-3855-J297

Affected Products

Wordpress

CVE-2021-39202

Weakness Enumeration

Related Identifiers

Affected Products

References · 11