Stored Cross-Site Scripting Vulnerability in WordPress Core
Key Information
- Vendor
- WordPress
- Vendor
- CVE Published:
- 3 May 2024
Badges
Summary
The vulnerability CVE-2024-4439 in WordPress Core allows for stored cross-site scripting via user display names in the Avatar block. This vulnerability affects various versions up to 6.5.2 and allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts, as well as unauthenticated attackers to inject arbitrary web scripts in pages with the comment block present. The impact of this vulnerability is considered high, and it affects multiple versions of the WP Core Plugin for WordPress. It is recommended to upgrade to the latest version of the plugin to address this vulnerability. There is potential for exploitation, but there is no specific mention of known exploitation by ransomware groups at this time.
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
CVE-2024-4439 Description, Impact and Technical Details
CVE-2024-4439 is a vulnerability in WordPress Core that affects various versions up to 6.5.2. It allows authenticated attackers with contributor-level…
5 months ago
Rewterz CVE-2024-4439CVE-2024-4439 – WordPress WP Core Plugin Vulnerability - Rewterz
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name.
7 months ago
EPSS Score
1% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
Vulnerability started trending.
- 👾
Exploit exists.
First article discovered by Rewterz
Vulnerability published.