CVE-2019-16780: XSS
First published: Thu Dec 26 2019(Updated: )
WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/wordpress | 5.0.15+dfsg1-0+deb10u1 5.0.19+dfsg1-0+deb10u1 5.7.8+dfsg1-0+deb11u2 6.1.1+dfsg1-1 6.3.1+dfsg1-1 | |
| WordPress WordPress | >3.7<5.3.1 | |
| WordPress WordPress | =3.7 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 |
Remedy
https://github.com/WordPress/wordpress-develop/commit/505dd6a20b6fc3d06130018c1caeff764248c29e
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-x3wp-h3qx-9w94
- https://github.com/WordPress/wordpress-develop/commit/505dd6a20b6fc3d06130018c1caeff764248c29e
- https://hackerone.com/reports/738644
- https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
- https://security-tracker.debian.org/tracker/CVE-2019-16780
- https://seclists.org/bugtraq/2020/Jan/8
- https://wpvulndb.com/vulnerabilities/9976
- https://www.debian.org/security/2020/dsa-4599
- https://www.debian.org/security/2020/dsa-4677
Frequently Asked Questions
What is CVE-2019-16780?
CVE-2019-16780 is a vulnerability in WordPress that allows users with lower privileges to inject JavaScript code in the block editor, leading to potential XSS attacks.
What is the severity of CVE-2019-16780?
CVE-2019-16780 has a severity rating of 5.4, which is considered medium.
How can WordPress users be affected by CVE-2019-16780?
WordPress users with lower privileges, such as contributors, can be affected by CVE-2019-16780 if they inject JavaScript code in the block editor.
Is authentication required for exploiting CVE-2019-16780?
Yes, exploitation of CVE-2019-16780 requires an authenticated user.
Are there any fixes available for CVE-2019-16780?
Yes, fixes for CVE-2019-16780 are available through the following versions of WordPress: 5.0.15+dfsg1-0+deb10u1, 5.0.19+dfsg1-0+deb10u1, 5.7.8+dfsg1-0+deb11u2, 6.1.1+dfsg1-1, and 6.3.1+dfsg1-1.
- collector/security-tracker-debian
- agent/weakness
- agent/author
- agent/severity
- agent/references
- agent/tags
- agent/type
- agent/event
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/wordpress
- canonical/wordpress wordpress
- version/wordpress wordpress/3.7
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0