CVE-2019-16781
5.4
MEDIUM
CVSS 3.1
EPSS 3.5%
Description
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.
How to fix CVE-2019-16781
To remediate CVE-2019-16781, upgrade the affected package to a fixed version below.
- Debian/wordpress—upgrade to 5.3.2+dfsg1-1 or later
Is CVE-2019-16781 being exploited?
Low — EPSS is 3.5%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 5.3.2+dfsg1-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |