CVE-2020-4046

Home/CVE/In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in

CVE

In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in

In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

MEDIUM · CVSS 5.4 EPSS 0.06854

Monitor

EPSS percentile: top 8% of all CVEs by exploitation likelihood

Sigma rules0 YARA rules0

⬡

Weakness Classification

CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

▤

Affected Products & Versions

wordpress>= 3.7 and < 3.7.34
wordpress>= 3.8 and < 3.8.34
wordpress>= 3.9 and < 3.9.32
wordpress>= 4.0 and < 4.0.31
wordpress>= 4.1 and < 4.1.31
wordpress>= 4.2 and < 4.2.28
wordpress>= 4.3 and < 4.3.24
wordpress>= 4.4 and < 4.4.23
Show all 20 affected productswordpress>= 4.5 and < 4.5.22
wordpress>= 4.6 and < 4.6.19
wordpress>= 4.7 and < 4.7.18
wordpress>= 4.8 and < 4.8.14
wordpress>= 4.9 and < 4.9.15
wordpress>= 5.0 and < 5.0.10
wordpress>= 5.1 and < 5.1.6
wordpress>= 5.2 and < 5.2.7
wordpress>= 5.3.0 and < 5.3.4
wordpress>= 5.4 and < 5.4.2
debian linuxall versions
fedoraproject fedoraall versions