WordPress < 5.4.2 - Authenticated XSS in Block Editor



Description
Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor.

Affects WordPresses

fixed in version 5.4.2
fixed in version 5.4.2
fixed in version 5.3.4
fixed in version 5.3.4
fixed in version 5.3.4
fixed in version 5.3.4
fixed in version 5.2.7
fixed in version 5.2.7
fixed in version 5.2.7
fixed in version 5.2.7
fixed in version 5.2.7
fixed in version 5.2.7
fixed in version 5.2.7
fixed in version 5.1.6
fixed in version 5.1.6
fixed in version 5.1.6
fixed in version 5.1.6
fixed in version 5.1.6
fixed in version 5.1.6

References

CVE 2020-4046
URL https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
URL https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rpwf-hrh2-39jf
URL https://pentest.co.uk/labs/research/subtle-stored-xss-wordpress-core/
Youtube Video

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Sam Thomas (jazzy2fives)
Views 1686
Verified No
WPVDB ID 10263

Timeline

Publicly Published 2020-06-10 (29 days ago)
Added 2020-06-11 (28 days ago)
Last Updated 2020-06-18 (21 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin