CVE-2024-4439

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-4439
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-4439.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-4439
Aliases
Downstream
Published
2024-05-03T06:15:14.947Z
Modified
2026-03-15T14:51:34.939659Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.

References

Affected packages

Git / github.com/wordpress/wordpress

Affected ranges

Type
GIT
Repo
https://github.com/wordpress/wordpress
Events
Introduced
cc101b64012b16d087780657a2b828ccd7794a63
Last affected
8e188eb150ba5668e5ca42fe599788af2f897c11
Introduced
6c5d5b5dcb9712bfc400b09cb6627e42898527af
Last affected
0829db91f97d7c11e8186761dfcb0ad16dbd0e1f
Introduced
17e2eff4aa3beb2802cbec12b6f08e2fbf69893d
Last affected
6e337fb3bd4d7035dc507df7e5cad477a64e8724
Introduced
ac3899153a790a6f060dc816ff94812e0fd99875
Last affected
3a495a2d71987d21c6eeaa403eb656b7fb785217
Introduced
e75a577410e912e1408c49ace9103c3ee9997d76
Last affected
ab5f082a5c8b958175e9860b4aff947a3b354f6c
Database specific 
{
    "versions": [
        {
            "introduced": "6.0"
        },
        {
            "last_affected": "6.0.7"
        },
        {
            "introduced": "6.1"
        },
        {
            "last_affected": "6.1.5"
        },
        {
            "introduced": "6.2"
        },
        {
            "last_affected": "6.2.4"
        },
        {
            "introduced": "6.3"
        },
        {
            "last_affected": "6.3.3"
        },
        {
            "introduced": "6.5"
        },
        {
            "last_affected": "6.5.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/wordpress/wordpress-develop
Events
Introduced
82dab16707a0a9af6a9707fed979a559aefdd511
Last affected
9e9559d6d6bd2327dee822c305b2905b65a91ef2
Database specific 
{
    "versions": [
        {
            "introduced": "6.4.0"
        },
        {
            "last_affected": "6.4.3"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-4439.json"