CVE-2021-39202 HIGH

CVE-2021-39202: WordPress 5.8 beta: Stored Cross-Site Scripting (XSS) vulnerability in widget

Vendor Wordpress
Product wordpress-develop
Weakness CWE-79 · XSS
Published September 9, 2021
Last update August 4, 2024

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8.

Key dates

02Disclosure timeline

September 9, 2021 CVE published
August 4, 2024 Record updated