WordPress Vulnerabilities

WordPress 5.2.2 - Cross-Site Scripting (XSS) in Stored Comments

Description

From the WordPress version release notes:

"Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting (XSS) vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored comments."

Affects WordPress

5.2.2
Fixed in WordPress 5.2.3

References

CVE
CVE-2019-16218
URL
https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Simon Scannell of RIPS Technologies
Verified
No
WPVDB ID
1b880386-021d-43b1-9988-e196955c7a3e

Timeline

Publicly Published
2019-09-05 (about 6 years ago)
Added
2019-09-05 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2023-02-15
Title
JSON Content Importer < 1.3.16 - Admin+ Stored XSS
Published
2025-05-27
Title
Volunteer Sign Up Sheets < 5.5.5 - Authenticated (Admin+) Stored Cross-site Scripting
Published
2023-02-24
Title
All in One SEO Pack < 4.3.0 - Contributor+ Stored XSS
Published
2024-12-04
Title
Contact Form Builder < 4.10.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via livesite-pay Shortcode
Published
2025-02-17
Title
CATS Job Listings <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting