Description


The Gutenberg plugin through 13.7.3 for WordPress allows stored XSS by the Contributor role via an SVG document to the "Insert from URL" feature. NOTE: the XSS payload does not execute in the context of the WordPress instance's domain; however, analogous attempts by low-privileged users to reference SVG documents are blocked by some similar products, and this behavioral difference might have security relevance to some WordPress site administrators.

Weaknesses



CWE-79

CVSS impact metrics


CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

3 · Low

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information


Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2022-07-30T20:15:08.490

2 years ago

Last modified

2022-08-16T14:09:12.943

2 years ago