CVE-2022-4973

Summary

WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.

Affected Software

VendorProductVersion RangeStatus
WordPress FoundationWordPress0 <= 3.6.1affected
WordPress FoundationWordPress3.7 <= 3.7.38affected
WordPress FoundationWordPress3.8 <= 3.8.38affected
WordPress FoundationWordPress3.9 <= 3.9.36affected
WordPress FoundationWordPress4.0 <= 4.0.35affected
WordPress FoundationWordPress4.1 <= 4.1.35affected
WordPress FoundationWordPress4.2 <= 4.2.32affected
WordPress FoundationWordPress4.3 <= 4.3.28affected
WordPress FoundationWordPress4.4 <= 4.4.27affected
WordPress FoundationWordPress4.5 <= 4.5.26affected
WordPress FoundationWordPress4.6 <= 4.6.23affected
WordPress FoundationWordPress4.7 <= 4.7.23affected
WordPress FoundationWordPress4.8 <= 4.8.19affected
WordPress FoundationWordPress4.9 <= 4.9.20affected
WordPress FoundationWordPress5.0 <= 5.0.16affected
WordPress FoundationWordPress5.1 <= 5.1.13affected
WordPress FoundationWordPress5.2 <= 5.2.15affected
WordPress FoundationWordPress5.3 <= 5.3.12affected
WordPress FoundationWordPress5.4 <= 5.4.10affected
WordPress FoundationWordPress5.5 <= 5.5.9affected
WordPress FoundationWordPress5.6 <= 5.6.8affected
WordPress FoundationWordPress5.7 <= 5.7.6affected
WordPress FoundationWordPress5.8 <= 5.8.4affected
WordPress FoundationWordPress5.9 <= 5.9.3affected
WordPress FoundationWordPress6.0 <= 6.0.1affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References