CVE-2019-16780 MEDIUM

CVE-2019-16780: Stored cross-site scripting (XSS) in WordPress block editor

Vendor Wordpress

Product WordPress

Weakness CWE-79 · XSS

Published December 26, 2019

Last update August 5, 2024

View on NVD All CVEs

CVSS base score

5.8/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction Required

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.

Key dates

02Disclosure timeline

December 26, 2019 CVE published

August 5, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-16780 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-11766 WordPress Book Plugin for Displaying Books in Grid, Flip, Slider, Popup Layout and more <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-30826 WordPress IP Locator plugin <= 4.1.0 - Cross Site Scripting (XSS) vulnerability CVE-2025-5490 Football Pool <= 2.12.4 - Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2026-2489 TP2WP Importer <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Watched domains' Textarea CVE-2025-62715 ClipBucket v5: Stored XSS via Collection Tags