WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Vulnerabilities

WP < 6.0.2 - Authenticated Stored Cross-Site Scripting

Description

There is a lack of escaping of the meta keys and values in the_meta() function, which could lead to Cross-Site Scripting issue

Affects WordPress

6.0.1
Fixed in version 6.0.2
6.0
Fixed in version 6.0.2
5.9.3
Fixed in version 5.9.4
5.9.2
Fixed in version 5.9.4
5.9.1
Fixed in version 5.9.4
5.9
Fixed in version 5.9.4
5.8.4
Fixed in version 5.8.5
5.8.3
Fixed in version 5.8.5
5.8.2
Fixed in version 5.8.5
5.8.1
Fixed in version 5.8.5

References

URL
https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

John Blackbourn

Verified

Yes

WPVDB ID
3b1573d4-06b4-442b-bad5-872753118ee0

Timeline

Publicly Published

2022-08-30 (about 6 months ago)

Added

2022-08-30 (about 6 months ago)

Last Updated

2022-08-30 (about 6 months ago)

Our Other Services

WPScan WordPress Security Plugin