CVE-2019-16780

26.12.2019, 17:15

WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.8 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
GitHub_M	CNA	5.8 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 87%

Vendor	Product	Version
wordpress	wordpress	3.7 < 𝑥 < 5.3.1
wordpress	wordpress	3.7
debian	debian_linux	9.0
debian	debian_linux	10.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

wordpress

bullseye (security)	5.7.11+dfsg1-0+deb11u1 fixed
bullseye	5.7.11+dfsg1-0+deb11u1 fixed
stretch	not-affected
jessie	not-affected
bookworm	6.1.6+dfsg1-0+deb12u1 fixed
bookworm (security)	6.1.6+dfsg1-0+deb12u1 fixed
sid	6.6.1+dfsg1-1 fixed
trixie	6.6.1+dfsg1-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

wordpress

noble	not-affected
mantic	not-affected
lunar	not-affected
kinetic	not-affected
jammy	not-affected
impish	not-affected
hirsute	not-affected
groovy	not-affected
focal	not-affected
eoan	ignored
disco	ignored
bionic	needs-triage
xenial	needs-triage
trusty	dne

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/WordPress/wordpress-develop/commit/505dd6a20b6fc3d06130018c1caeff764248c29e

https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-x3wp-h3qx-9w94

https://hackerone.com/reports/738644

https://seclists.org/bugtraq/2020/Jan/8

https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

https://wpvulndb.com/vulnerabilities/9976

https://www.debian.org/security/2020/dsa-4599

https://www.debian.org/security/2020/dsa-4677