CVE-2022-4973

CVE Database · CVE-2022-4973

CVE-2022-4973

· MEDIUMAnalyzed

CVSS v3.1

4.9

EPSS

0.46%

Published

Oct 16, 2024

Modified

Oct 30, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Weaknesses (CWE)

CWE-79

Affected Products (1)

wordpress · wordpressvulnerable

References (4)

https://core.trac.wordpress.org/changeset/53961

Patch

https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/

Release Notes

https://www.wordfence.com/blog/2022/08/wordpress-core-6-0-2-security-maintenance-release-what-you-need-to-know/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/b5582e89-83e6-4898-b9fe-09eddeb5f7ae?source=cve

Third Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs