First published: Thu Dec 26 2019(Updated: )
WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
debian/wordpress | 5.0.15+dfsg1-0+deb10u1 5.0.19+dfsg1-0+deb10u1 5.7.8+dfsg1-0+deb11u2 6.1.1+dfsg1-1 6.3.1+dfsg1-1 | |
WordPress WordPress | >3.7<5.3.1 | |
WordPress WordPress | =3.7 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 |
https://github.com/WordPress/wordpress-develop/commit/505dd6a20b6fc3d06130018c1caeff764248c29e
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-16780 is a vulnerability in WordPress that allows users with lower privileges to inject JavaScript code in the block editor, leading to potential XSS attacks.
CVE-2019-16780 has a severity rating of 5.4, which is considered medium.
WordPress users with lower privileges, such as contributors, can be affected by CVE-2019-16780 if they inject JavaScript code in the block editor.
Yes, exploitation of CVE-2019-16780 requires an authenticated user.
Yes, fixes for CVE-2019-16780 are available through the following versions of WordPress: 5.0.15+dfsg1-0+deb10u1, 5.0.19+dfsg1-0+deb10u1, 5.7.8+dfsg1-0+deb11u2, 6.1.1+dfsg1-1, and 6.3.1+dfsg1-1.