CVE-2022-4973

WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.
Configurations

Configuration 1 (hide)

cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*

History

30 Oct 2024, 15:58

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 4.9
v2 : unknown
v3 : 5.4
CPE cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
First Time Wordpress
Wordpress wordpress
References () https://core.trac.wordpress.org/changeset/53961 - () https://core.trac.wordpress.org/changeset/53961 - Patch
References () https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/ - () https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/ - Release Notes
References () https://www.wordfence.com/blog/2022/08/wordpress-core-6-0-2-security-maintenance-release-what-you-need-to-know/ - () https://www.wordfence.com/blog/2022/08/wordpress-core-6-0-2-security-maintenance-release-what-you-need-to-know/ - Third Party Advisory
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/b5582e89-83e6-4898-b9fe-09eddeb5f7ae?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/b5582e89-83e6-4898-b9fe-09eddeb5f7ae?source=cve - Third Party Advisory

16 Oct 2024, 16:38

Type Values Removed Values Added
Summary
  • (es) WordPress Core, en versiones hasta la 6.0.2, es vulnerable a cross-site scripting almacenado autenticados que pueden ser explotadas por usuarios con acceso al editor de publicaciones y páginas de WordPress, que generalmente consisten en autores, colaboradores y editores, lo que hace posible inyectar secuencias de comandos web arbitrarias en publicaciones y páginas que se ejecutan si se llama a la función the_meta(); en esa página.

16 Oct 2024, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-16 07:15

Updated : 2024-10-30 15:58


NVD link : CVE-2022-4973

Mitre link : CVE-2022-4973

CVE.ORG link : CVE-2022-4973


JSON object : View

Products Affected

wordpress

  • wordpress
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')