Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-4439

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.

Published

2024-05-03T06:15:14.947

Last Modified

2026-01-05T15:35:42.727

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.2 (HIGH)

Weaknesses

Type: Secondary
CWE-80

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	wordpress	wordpress	≤ 6.0.7	Yes
Application	wordpress	wordpress	≤ 6.1.5	Yes
Application	wordpress	wordpress	≤ 6.2.4	Yes
Application	wordpress	wordpress	≤ 6.3.3	Yes
Application	wordpress	wordpress	≤ 6.4.3	Yes
Application	wordpress	wordpress	≤ 6.5.1	Yes

References

https://core.trac.wordpress.org/changeset/57951/branches/6.4/src/wp-includes/blocks/avatar.php Patch ([email protected])
https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=57950%40%2F&new=57950%40%2F&sfp_email=&sfph_mail=#file3 Patch ([email protected])
https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/ Vendor Advisory ([email protected])
https://www.wordfence.com/blog/2024/04/unauthenticated-stored-cross-site-scripting-vulnerability-patched-in-wordpress-core/ Exploit, Third Party Advisory ([email protected])
https://www.wordfence.com/threat-intel/vulnerabilities/id/e363c09a-4381-4b3a-951c-9a0ff5669016?source=cve Third Party Advisory ([email protected])
https://core.trac.wordpress.org/changeset/57951/branches/6.4/src/wp-includes/blocks/avatar.php Patch (af854a3a-2127-422b-91ae-364da2661108)
https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=57950%40%2F&new=57950%40%2F&sfp_email=&sfph_mail=#file3 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.wordfence.com/blog/2024/04/unauthenticated-stored-cross-site-scripting-vulnerability-patched-in-wordpress-core/ Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.wordfence.com/threat-intel/vulnerabilities/id/e363c09a-4381-4b3a-951c-9a0ff5669016?source=cve Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)