WordPress Vulnerabilities

WordPress 5.0-5.2.2 - Authenticated Stored XSS in Shortcode Previews

Description

According to the WordPress release notes:

"Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a vulnerability for cross-site scripting (XSS) in shortcode previews."

Affects WordPress

5.2.2
Fixed in WordPress 5.2.3
5.0
Fixed in WordPress 5.0.6
5.0.1
Fixed in WordPress 5.0.6
5.0.2
Fixed in WordPress 5.0.6
5.0.3
Fixed in WordPress 5.0.6
5.0.4
Fixed in WordPress 5.0.6
5.1
Fixed in WordPress 5.1.2
5.1.1
Fixed in WordPress 5.1.2
5.2
Fixed in WordPress 5.2.3
5.2.1
Fixed in WordPress 5.2.3

References

CVE
CVE-2019-16219
URL
https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
URL
https://fortiguard.com/zeroday/FG-VD-18-165
URL
https://www.fortinet.com/blog/threat-research/wordpress-core-stored-xss-vulnerability.html

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Zhouyuan Yang of Fortinet’s FortiGuard Labs
Submitter
Ryan Dewhurst
Verified
No
WPVDB ID
8aca2325-14b8-4b9d-94bd-d20b2c3b0c77

Timeline

Publicly Published
2019-09-05 (about 4 years ago)
Added
2019-09-05 (about 4 years ago)
Last Updated
2020-09-22 (about 3 years ago)

Other

Published
Title
Published
2021-08-23
Title
Limit Login Attempts < 4.0.50 - Unauthenticated Stored Cross-Site Scripting
Published
2023-03-30
Title
PixFields <= 0.7.0 - Contributor+ Stored Cross-Site Scripting
Published
2015-09-12
Title
Royal Slider <= 3.2.6 - Authenticated Cross-Site Scripting (XSS)
Published
2020-08-17
Title
Colorbox Lightbox < 1.1.5 - Contributor+ Stored Cross-Site Scripting
Published
2023-09-04
Title
WooCommerce PensoPay < 6.3.2 - Reflected XSS