BIT-wordpress-multisite-2020-4049

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/wordpress-multisite/BIT-wordpress-multisite-2020-4049.json
JSON Data
https://api.test.osv.dev/v1/vulns/BIT-wordpress-multisite-2020-4049
Aliases
Published
2024-03-06T11:10:46.697Z
Modified
2024-03-06T11:25:28.861Z
Summary
[none]
Details

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Database specific 
{
    "cpes": [
        "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*"
    ],
    "severity": "Low"
}
References

Affected packages

Bitnami / wordpress-multisite

Package

Name
wordpress-multisite
Purl
pkg:bitnami/wordpress-multisite

Severity

  • 2.4 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
3.7.0
Fixed
3.7.34
Introduced
3.8.0
Fixed
3.8.34
Introduced
3.9.0
Fixed
3.9.32
Introduced
4.0.0
Fixed
4.0.31
Introduced
4.1.0
Fixed
4.1.31
Introduced
4.2.0
Fixed
4.2.28
Introduced
4.3.0
Fixed
4.3.24
Introduced
4.4.0
Fixed
4.4.23
Introduced
4.5.0
Fixed
4.5.22
Introduced
4.6.0
Fixed
4.6.19
Introduced
4.7.0
Fixed
4.7.18
Introduced
4.8.0
Fixed
4.8.14
Introduced
4.9.0
Fixed
4.9.15
Introduced
5.0.0
Fixed
5.0.10
Introduced
5.1.0
Fixed
5.1.6
Introduced
5.2.0
Fixed
5.2.7
Introduced
5.3.0
Fixed
5.3.4
Introduced
5.4.0
Fixed
5.4.2