WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Search Block



Description
An authenticated user could customise the class of the search block, leading to Cross-Site Scripting (XSS)

Affects WordPresses

fixed in version 5.4.1
fixed in version 5.3.3
fixed in version 5.3.3
fixed in version 5.3.3
fixed in version 5.2.6
fixed in version 5.2.6
fixed in version 5.2.6
fixed in version 5.2.6
fixed in version 5.2.6
fixed in version 5.2.6

References

CVE 2020-11030
URL https://wordpress.org/news/2020/04/wordpress-5-4-1/
URL https://core.trac.wordpress.org/changeset/47636/
URL https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
URL https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-vccm-6gmc-qhjh

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Ben Bidner
Submitter Ryan
Views 1580
Verified No
WPVDB ID 10204

Timeline

Publicly Published 2020-04-29 (27 days ago)
Added 2020-04-30 (25 days ago)
Last Updated 2020-05-02 (23 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin