WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-05-03T05:32:34.988Z
Updated: 2024-08-01T20:40:47.361Z
Reserved: 2024-05-02T16:33:12.426Z
Link: CVE-2024-4439
Vulnrichment
Updated: 2024-08-01T20:40:47.361Z
NVD
Status : Awaiting Analysis
Published: 2024-05-03T06:15:14.947
Modified: 2024-11-21T09:42:50.027
Link: CVE-2024-4439
Redhat
No data.