CVE-2019-16781 MEDIUM

CVE-2019-16781: Stored cross-site scripting (XSS) in WordPress block editor

Vendor Wordpress

Product WordPress

Weakness CWE-79 · XSS

Published December 26, 2019

Last update August 5, 2024

View on NVD All CVEs

CVSS base score

5.8/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction Required

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.

Key dates

02Disclosure timeline

December 26, 2019 CVE published

August 5, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-16781 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2019-16781: Stored cross-site scripting (XSS) in WordPress block editor

01Description

02Disclosure timeline

03References

04Related CVE