CVE-2022-33994
N/A
N/A
Summary
The Gutenberg plugin through 13.7.3 for WordPress allows stored XSS by the Contributor role via an SVG document to the "Insert from URL" feature. NOTE: the XSS payload does not execute in the context of the WordPress instance's domain; however, analogous attempts by low-privileged users to reference SVG documents are blocked by some similar products, and this behavioral difference might have security relevance to some WordPress site administrators.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://blog.jitendrapatro.me/cve-2022-33994-stored-xss-in-wordpress/
- https://patchstack.com/articles/patchstack-weekly-svg-xss-reported-in-gutenberg/
References
- https://blog.jitendrapatro.me/cve-2022-33994-stored-xss-in-wordpress/
- https://patchstack.com/articles/patchstack-weekly-svg-xss-reported-in-gutenberg/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.