WordPress 5.4 to 5.8 – Authenticated XSS in Block Editor | CVE 2021-39201

Description

On September 9, 2021 WordPress version 5.8.1 was released fixing three vulnerabilities.

The official blog post states:

"Props to Michał Bentkowski of Securitum for reporting a XSS vulnerability in the block editor."

Further details:

The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post unfiltered_html.

Affects WordPress

5.8

Fixed in WordPress 5.8.1

5.7.2

Fixed in WordPress 5.7.3

5.7.1

Fixed in WordPress 5.7.3

5.7

Fixed in WordPress 5.7.3

5.6.4

Fixed in WordPress 5.6.5

5.6.3

Fixed in WordPress 5.6.5

5.6.2

Fixed in WordPress 5.6.5

5.6.1

Fixed in WordPress 5.6.5

5.6

Fixed in WordPress 5.6.5

5.5.5

Fixed in WordPress 5.5.6

5.5.4

Fixed in WordPress 5.5.6

5.5.3

Fixed in WordPress 5.5.6

5.5.2

Fixed in WordPress 5.5.6

5.5.1

Fixed in WordPress 5.5.6

5.5

Fixed in WordPress 5.5.6

5.4.6

Fixed in WordPress 5.4.7

5.4.5

Fixed in WordPress 5.4.7

5.4.4

Fixed in WordPress 5.4.7

5.4.3

Fixed in WordPress 5.4.7

5.4.2

Fixed in WordPress 5.4.7

5.4.1

Fixed in WordPress 5.4.7

5.4

Fixed in WordPress 5.4.7

References

CVE

CVE-2021-39201

URL

https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/

URL

https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-wh69-25hr-h94v

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

5.4 (medium)

Miscellaneous

Original Researcher

Michał Bentkowski of Securitum

Verified

WPVDB ID

5b754676-20f5-4478-8fd3-6bc383145811

Timeline

Publicly Published

2021-09-09 (about 4 years ago)

Added

2021-09-09 (about 4 years ago)

Last Updated

2022-05-19 (about 3 years ago)

Other

Published

Title

Published

2021-06-14

Title

10Web Map Builder for Google Maps < 1.0.70 - Authenticated Stored XSS

Published

2024-05-20

Title

Elementor Website Builder < 3.21.6 - Contributor+ DOM Stored XSS

Published

2020-06-23

Title

WooCommerce < 4.2.1 - Potential Cross-Site Scripting (XSS) via SelectWoo

Published

2025-11-18

Title

Pet-Manager – Petfinder < 3.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via kwm-petfinder Shortcode

Published

2024-09-26

Title

Nokaut Offers Box <= 1.4.0 - Plugin Reset via CSRF