WordPress Vulnerabilities
WordPress < 5.4.2 - Authenticated XSS via Media Files
Description
Props to Luigi โ (gubello.me) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files.
Affects WordPress
Fixed in WordPress 5.4.2
Fixed in WordPress 5.4.2
Fixed in WordPress 5.3.4
Fixed in WordPress 5.3.4
Fixed in WordPress 5.3.4
Fixed in WordPress 5.3.4
Fixed in WordPress 5.2.7
Fixed in WordPress 5.2.7
Fixed in WordPress 5.2.7
Fixed in WordPress 5.2.7
Fixed in WordPress 5.2.7
Fixed in WordPress 5.2.7
Fixed in WordPress 5.2.7
Fixed in WordPress 5.1.6
Fixed in WordPress 5.1.6
Fixed in WordPress 5.1.6
Fixed in WordPress 5.1.6
Fixed in WordPress 5.1.6
Fixed in WordPress 5.1.6
Fixed in WordPress 5.0.10
Fixed in WordPress 5.0.10
Fixed in WordPress 4.9.15
Fixed in WordPress 4.9.15
Fixed in WordPress 4.9.15
Fixed in WordPress 4.9.15
Fixed in WordPress 4.9.15
Fixed in WordPress 4.9.15
Fixed in WordPress 4.9.15
Fixed in WordPress 4.8.14
Fixed in WordPress 4.8.14
Fixed in WordPress 4.8.14
Fixed in WordPress 4.8.14
Fixed in WordPress 4.8.14
Fixed in WordPress 4.8.14
Fixed in WordPress 4.7.18
Fixed in WordPress 4.7.18
Fixed in WordPress 4.7.18
Fixed in WordPress 4.7.18
Fixed in WordPress 4.7.18
Fixed in WordPress 4.7.18
Fixed in WordPress 4.7.18
Fixed in WordPress 4.7.18
Fixed in WordPress 4.7.18
Fixed in WordPress 4.7.18
Fixed in WordPress 4.6.19
Fixed in WordPress 4.6.19
Fixed in WordPress 4.6.19
Fixed in WordPress 4.6.19
Fixed in WordPress 4.6.19
Fixed in WordPress 4.6.19
Fixed in WordPress 4.6.19
Fixed in WordPress 4.6.19
Fixed in WordPress 4.6.19
Fixed in WordPress 4.6.19
Fixed in WordPress 4.6.19
Fixed in WordPress 4.5.22
Fixed in WordPress 4.5.22
Fixed in WordPress 4.5.22
Fixed in WordPress 4.5.22
Fixed in WordPress 4.5.22
Fixed in WordPress 4.5.22
Fixed in WordPress 4.5.22
Fixed in WordPress 4.5.22
Fixed in WordPress 4.5.22
Fixed in WordPress 4.5.22
Fixed in WordPress 4.5.22
Fixed in WordPress 4.5.22
Fixed in WordPress 4.5.22
Fixed in WordPress 4.5.22
Fixed in WordPress 4.5.22
Fixed in WordPress 4.4.23
Fixed in WordPress 4.4.23
Fixed in WordPress 4.4.23
Fixed in WordPress 4.4.23
Fixed in WordPress 4.4.23
Fixed in WordPress 4.4.23
Fixed in WordPress 4.4.23
Fixed in WordPress 4.4.23
Fixed in WordPress 4.4.23
Fixed in WordPress 4.4.23
Fixed in WordPress 4.4.23
Fixed in WordPress 4.4.23
Fixed in WordPress 4.4.23
Fixed in WordPress 4.4.23
Fixed in WordPress 4.4.23
Fixed in WordPress 4.4.23
Fixed in WordPress 4.3.24
Fixed in WordPress 4.3.24
Fixed in WordPress 4.3.24
Fixed in WordPress 4.3.24
Fixed in WordPress 4.3.24
Fixed in WordPress 4.3.24
Fixed in WordPress 4.3.24
Fixed in WordPress 4.3.24
Fixed in WordPress 4.3.24
Fixed in WordPress 4.3.24
Fixed in WordPress 4.3.24
Fixed in WordPress 4.3.24
Fixed in WordPress 4.3.24
Fixed in WordPress 4.3.24
Fixed in WordPress 4.3.24
Fixed in WordPress 4.3.24
Fixed in WordPress 4.3.24
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.2.28
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.1.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 4.0.31
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.9.32
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.8.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
Fixed in WordPress 3.7.34
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Luigi (gubello.me)
Verified
No
WPVDB ID
Timeline
Publicly Published
2020-06-11 (about 3 years ago)
Added
2020-06-11 (about 3 years ago)
Last Updated
2020-06-13 (about 3 years ago)