Vulnerability in Wordpress Foundation
CVE-2024-4439
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attack…
EPSS: 0.906 (99.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N.
Affected products
- Wordpress Foundation — versions 6.0, 6.1, 6.2
Public proof-of-concept exploits
References
- www.wordfence.com/threat-intel/vulnerabilities/id/e363c09a-4381-4b3a-951c-9a0ff…
- wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/
- core.trac.wordpress.org/changeset
- core.trac.wordpress.org/changeset/57951/branches/6.4/src/wp-includes/blocks/ava…
- www.wordfence.com/blog/2024/04/unauthenticated-stored-cross-site-scripting-vuln…
Frequently asked questions
- What is CVE-2024-4439?
- CVE-2024-4439 is a high-severity vulnerability in Wordpress Foundation, classified under CWE-79 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING'). CVSS score: 7.2/10. Published 2024-05-03.
- How severe is CVE-2024-4439?
- High severity. CVSS v3 base score is 7.2 out of 10.
- Is CVE-2024-4439 known to be exploited?
- 10 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.