WordPress Vulnerabilities

WordPress 5.2.2 - Cross-Site Scripting (XSS) in Dashboard

Description

According to the WordPress release notes:

"Props to Ian Dunn of the Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard."

Affects WordPress

5.2.2
Fixed in WordPress 5.2.3

References

CVE
CVE-2019-16221
URL
https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Ian Dunn - Core Security Team
Submitter
Ryan Dewhurst
Verified
No
WPVDB ID
6034fc8a-c418-467a-a7cf-893d1524447e

Timeline

Publicly Published
2019-09-05 (about 6 years ago)
Added
2019-09-05 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2025-02-01
Title
WP Event Aggregator < 1.8.3 - Reflected Cross-Site Scripting
Published
2025-08-27
Title
Houzez < 4.1.4 - Reflected Cross-Site Scripting
Published
2025-01-06
Title
WP Triggers Lite <= 2.5.3 - Admin+ SQL Injection
Published
2024-12-06
Title
워드프레스 결제 심플페이 – 우커머스 결제 플러그인 < 5.2.3 - Reflected Cross-Site Scripting via add_query_arg Function
Published
2024-11-22
Title
Generic Elements <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting