BIT-wordpress-multisite-2020-4047

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/wordpress-multisite/BIT-wordpress-multisite-2020-4047.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-wordpress-multisite-2020-4047
Aliases
Published
2024-03-06T11:10:57.188Z
Modified
2025-01-14T08:57:30.862279Z
Summary
[none]
Details

In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Database specific 
{
    "cpes": [
        "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}
References

Affected packages

Bitnami / wordpress-multisite

Package

Name
wordpress-multisite
Purl
pkg:bitnami/wordpress-multisite

Severity

  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
3.7.0
Fixed
3.7.34
Introduced
3.8.0
Fixed
3.8.34
Introduced
3.9.0
Fixed
3.9.32
Introduced
4.0.0
Fixed
4.0.31
Introduced
4.1.0
Fixed
4.1.31
Introduced
4.2.0
Fixed
4.2.28
Introduced
4.3.0
Fixed
4.3.24
Introduced
4.4.0
Fixed
4.4.23
Introduced
4.5.0
Fixed
4.5.22
Introduced
4.6.0
Fixed
4.6.19
Introduced
4.7.0
Fixed
4.7.18
Introduced
4.8.0
Fixed
4.8.14
Introduced
4.9.0
Fixed
4.9.15
Introduced
5.0.0
Fixed
5.0.10
Introduced
5.1.0
Fixed
5.1.6
Introduced
5.2.0
Fixed
5.2.7
Introduced
5.3.0
Fixed
5.3.4
Introduced
5.4.0
Fixed
5.4.2