BIT-wordpress-2020-4047

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/wordpress/BIT-wordpress-2020-4047.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-wordpress-2020-4047

Aliases

Published

2024-03-06T11:11:09.281Z

Modified

2024-03-06T11:25:28.861Z

Summary

[none]

Details

In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Database specific

{
    "cpes": [
        "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}

References

Affected packages

Bitnami / wordpress

Package

Name: wordpress
Purl: pkg:bitnami/wordpress

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

3.7.0

Fixed

3.7.34

Introduced

3.8.0

Fixed

3.8.34

Introduced

3.9.0

Fixed

3.9.32

Introduced

4.0.0

Fixed

4.0.31

Introduced

4.1.0

Fixed

4.1.31

Introduced

4.2.0

Fixed

4.2.28

Introduced

4.3.0

Fixed

4.3.24

Introduced

4.4.0

Fixed

4.4.23

Introduced

4.5.0

Fixed

4.5.22

Introduced

4.6.0

Fixed

4.6.19

Introduced

4.7.0

Fixed

4.7.18

Introduced

4.8.0

Fixed

4.8.14

Introduced

4.9.0

Fixed

4.9.15

Introduced

5.0.0

Fixed

5.0.10

Introduced

5.1.0

Fixed

5.1.6

Introduced

5.2.0

Fixed

5.2.7

Introduced

5.3.0

Fixed

5.3.4

Introduced

5.4.0

Fixed

5.4.2