CVE-2024-4439

CVSS 3.1 Score 7.2 of 10 (high)

Details

Published May 3, 2024

Updated: Jul 3, 2024

CWE ID 80

Summary

CVE-2024-4439 is a stored Cross-Site Scripting (XSS) vulnerability affecting WordPress Core versions up to 6.5.2. This issue lies in the Avatar block's insufficient output escaping of user display names. Authenticated attackers with contributor-level access and above can inject arbitrary web scripts into pages, causing these scripts to execute whenever a user accesses the injected page. Furthermore, unauthenticated attackers can exploit this vulnerability by injecting web scripts into pages with the comment block present and displaying the comment author's avatar.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

WordPress

Affected Vendors

WordPress

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/vvPeaK
https://www.cve.org/CVERecord?id=CVE-2024-4439
https://nvd.nist.gov/vuln/detail/CVE-2024-4439

Back to Vulnerability Database