PT-2024-37526 · WordPress · Wordpress

Published

2024-06-25

Updated

2024-06-25

CVE-2024-6305

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Name of the Vulnerable Software and Affected Versions: WordPress Core versions up to 6.5.5

Description: The issue is related to Stored Cross-Site Scripting via the Template Part Block due to insufficient input sanitization and output escaping on the tagName attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Recommendations: For versions up to 6.5.5, update to a version that contains a fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the Template Part Block feature for users with contributor-level access and above until a patch is available.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2024-6305

Affected Products

Wordpress

PT-2024-37526 · WordPress · Wordpress

CVE-2024-6305

Related Identifiers

Affected Products

References · 2