WordPress 5.4 to 5.8 – Authenticated XSS in Block Editor | CVE 2021-39201

Description

On September 9, 2021 WordPress version 5.8.1 was released fixing three vulnerabilities.

The official blog post states:

"Props to Michał Bentkowski of Securitum for reporting a XSS vulnerability in the block editor."

Further details:

The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post unfiltered_html.

Affects WordPress

5.8

Fixed in WordPress 5.8.1

5.7.2

Fixed in WordPress 5.7.3

5.7.1

Fixed in WordPress 5.7.3

5.7

Fixed in WordPress 5.7.3

5.6.4

Fixed in WordPress 5.6.5

5.6.3

Fixed in WordPress 5.6.5

5.6.2

Fixed in WordPress 5.6.5

5.6.1

Fixed in WordPress 5.6.5

5.6

Fixed in WordPress 5.6.5

5.5.5

Fixed in WordPress 5.5.6

5.5.4

Fixed in WordPress 5.5.6

5.5.3

Fixed in WordPress 5.5.6

5.5.2

Fixed in WordPress 5.5.6

5.5.1

Fixed in WordPress 5.5.6

5.5

Fixed in WordPress 5.5.6

5.4.6

Fixed in WordPress 5.4.7

5.4.5

Fixed in WordPress 5.4.7

5.4.4

Fixed in WordPress 5.4.7

5.4.3

Fixed in WordPress 5.4.7

5.4.2

Fixed in WordPress 5.4.7

5.4.1

Fixed in WordPress 5.4.7

5.4

Fixed in WordPress 5.4.7

References

CVE

CVE-2021-39201

URL

https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/

URL

https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-wh69-25hr-h94v

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

5.4 (medium)

Miscellaneous

Original Researcher

Michał Bentkowski of Securitum

Verified

WPVDB ID

5b754676-20f5-4478-8fd3-6bc383145811

Timeline

Publicly Published

2021-09-09 (about 2 years ago)

Added

2021-09-09 (about 2 years ago)

Last Updated

2022-05-19 (about 1 years ago)

Other

Published

Title

Published

2023-12-19

Title

Multi Step Form < 1.7.17 - Admin+ Stored XSS

Published

2024-03-22

Title

SEOPress – On-site SEO < 7.6 - Author+ Stored Cross-Site Scripting

Published

2024-04-25

Title

WPZOOM Addons for Elementor (Templates, Widgets) <= <=1.1.35 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-10-12

Title

ApplyOnline – Application Form Builder and Manager < 2.5.3 - Reflected XSS

Published

2021-12-27

Title

WP User Frontend < 3.5.26 - SQL Injection to Reflected Cross-Site Scripting