cnvd - cnvd-2021-24378

cnvd-2021-24378

Vulnerability from cnvd

Title

WordPress跨站脚本漏洞（CNVD-2021-24378）

Description

WordPress是WordPress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 WordPress中存在跨站脚本漏洞，该漏洞源于WEB应用缺少对客户端数据的正确验证，攻击者可利用该漏洞执行客户端代码。

Severity

低

Patch Name

WordPress跨站脚本漏洞（CNVD-2021-24378）的补丁

Patch Description

WordPress是WordPress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 WordPress中存在跨站脚本漏洞，该漏洞源于WEB应用缺少对客户端数据的正确验证，攻击者可利用该漏洞执行客户端代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已提供漏洞修补方案，请关注厂商主页及时更新： https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-4046

Impacted products

Name
['WordPress WordPress 5.3.4', 'WordPress WordPress 5.2.7', 'WordPress WordPress 5.1.6', 'WordPress WordPress 5.0.10', 'WordPress WordPress 4.9.15', 'WordPress WordPress 4.8.14', 'WordPress WordPress 4.7.18', 'WordPress WordPress 4.5.22', 'WordPress WordPress 4.4.23', 'WordPress WordPress 4.3.24', 'WordPress WordPress 4.2.28', 'WordPress WordPress 4.1.31', 'WordPress WordPress 4.0.31', 'WordPress WordPress 3.9.32', 'WordPress WordPress 3.8.34', 'WordPress WordPress 3.7.34', 'WordPress WordPress 4.6.19']

Name

['WordPress WordPress 5.3.4', 'WordPress WordPress 5.2.7', 'WordPress WordPress 5.1.6', 'WordPress WordPress 5.0.10', 'WordPress WordPress 4.9.15', 'WordPress WordPress 4.8.14', 'WordPress WordPress 4.7.18', 'WordPress WordPress 4.5.22', 'WordPress WordPress 4.4.23', 'WordPress WordPress 4.3.24', 'WordPress WordPress 4.2.28', 'WordPress WordPress 4.1.31', 'WordPress WordPress 4.0.31', 'WordPress WordPress 3.9.32', 'WordPress WordPress 3.8.34', 'WordPress WordPress 3.7.34', 'WordPress WordPress 4.6.19']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-4046"
    }
  },
  "description": "WordPress\u662fWordPress\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002\n\nWordPress\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eWEB\u5e94\u7528\u7f3a\u5c11\u5bf9\u5ba2\u6237\u7aef\u6570\u636e\u7684\u6b63\u786e\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u8865\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u53ca\u65f6\u66f4\u65b0\uff1a\r\nhttps://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-24378",
  "openTime": "2021-04-02",
  "patchDescription": "WordPress\u662fWordPress\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002\r\n\r\nWordPress\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eWEB\u5e94\u7528\u7f3a\u5c11\u5bf9\u5ba2\u6237\u7aef\u6570\u636e\u7684\u6b63\u786e\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "WordPress\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2021-24378\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "WordPress WordPress 5.3.4",
      "WordPress WordPress 5.2.7",
      "WordPress WordPress 5.1.6",
      "WordPress WordPress 5.0.10",
      "WordPress WordPress 4.9.15",
      "WordPress WordPress 4.8.14",
      "WordPress WordPress 4.7.18",
      "WordPress WordPress 4.5.22",
      "WordPress WordPress 4.4.23",
      "WordPress WordPress 4.3.24",
      "WordPress WordPress 4.2.28",
      "WordPress WordPress 4.1.31",
      "WordPress WordPress 4.0.31",
      "WordPress WordPress 3.9.32",
      "WordPress WordPress 3.8.34",
      "WordPress WordPress 3.7.34",
      "WordPress WordPress 4.6.19"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-4046",
  "serverity": "\u4f4e",
  "submitTime": "2020-06-15",
  "title": "WordPress\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2021-24378\uff09"
}

CVE-2020-4046 (GCVE-0-2020-4046)

Vulnerability from cvelistv5

Published

2020-06-12 15:55

Modified

2024-08-04 07:52

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Summary

In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

References

URL

Tags

	https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rpwf-hrh2-39jf	x_refsource_CONFIRM
	https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/	vendor-advisory, x_refsource_FEDORA
	https://www.debian.org/security/2020/dsa-4709	vendor-advisory, x_refsource_DEBIAN
	https://lists.debian.org/debian-lts-announce/2020/07/msg00000.html	mailing-list, x_refsource_MLIST