In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
| Link | Tags |
|---|---|
| https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/ | release notes vendor advisory |
| https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-8q2w-5m27-wm27 | third party advisory |
| https://github.com/WordPress/wordpress-develop/commit/0977c0d6b241479ecedfe19e96be69f727c3f81f | patch |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/ | vendor advisory |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/ | vendor advisory |
| https://www.debian.org/security/2020/dsa-4709 | vendor advisory mailing list third party advisory |
| https://lists.debian.org/debian-lts-announce/2020/07/msg00000.html | third party advisory mailing list |
| https://lists.debian.org/debian-lts-announce/2020/09/msg00011.html | third party advisory mailing list |