WordPress Vulnerabilities

WordPress <= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)

Description

WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.

Affects WordPress

3.8.1
Fixed in WordPress 4.1.2
3.8
Fixed in WordPress 4.1.2
3.7.1
Fixed in WordPress 4.1.2
3.9
Fixed in WordPress 4.1.2
3.9.1
Fixed in WordPress 4.1.2
3.7
Fixed in WordPress 4.1.2
3.8.2
Fixed in WordPress 4.1.2
3.8.3
Fixed in WordPress 4.1.2
3.9.2
Fixed in WordPress 4.1.2
4.0
Fixed in WordPress 4.1.2
4.1
Fixed in WordPress 4.1.2
4.1.1
Fixed in WordPress 4.1.2
4.0.1
Fixed in WordPress 4.1.2

References

CVE
CVE-2015-3438
URL
https://wordpress.org/news/2015/04/wordpress-4-1-2/
URL
https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
604b553d-5492-4f8c-af7a-db7169780032

Timeline

Publicly Published
2015-04-21 (about 9 years ago)
Added
2015-04-21 (about 9 years ago)
Last Updated
2019-10-22 (about 4 years ago)

Other

Published
Title
Published
2022-12-22
Title
Font Awesome < 4.3.2 - Contributor+ Stored XSS
Published
2021-07-30
Title
You Shang <= 1.0.1 - Authenticated Stored Cross-Site Scripting
Published
2024-03-25
Title
Bulk NoIndex & NoFollow Toolkit < 2.10 - Reflected Cross-Site Scripting via tab, order, and orderby
Published
2014-08-01
Title
ZdStatistics < 2.0.1 - Cross-Site Scripting (XSS)
Published
2022-05-23
Title
Simple Membership < 4.1.1 - Reflected Cross-Site Scripting