JVN#09409909
Multiple vulnerabilities in WordPress

Overview

WordPress contains multiple vulnerabilities.

Products Affected

• WordPress versions prior to 6.0.3

Description

WordPress contains multiple vulnerabilities listed below which are to the WordPress Post by Email Feature.

• Stored Cross-site scripting (CWE-79) - CVE-2022-43497

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
  CVSS v2	AV:N/AC:M/Au:N/C:N/I:P/A:N	Base Score: 4.3

• Stored Cross-site scripting (CWE-79) - CVE-2022-43500

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
  CVSS v2	AV:N/AC:M/Au:N/C:N/I:P/A:N	Base Score: 4.3

• Improper authentication (CWE-287) - CVE-2022-43504

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	Base Score: 5.3
  CVSS v2	AV:N/AC:L/Au:N/C:P/I:N/A:N	Base Score: 5.0

Impact

• An arbitrary script may be executed on the web browser of the user who is accessing the website using the product - CVE-2022-43497, CVE-2022-43500
• A remote unauthenticated attacker may obtain the email address of the user who posted a blog using the WordPress Post by Email Feature - CVE-2022-43504

Solution

Update the Software
Update to the latest version according to the information provided by the developer.
According to the developer, these vulnerabilities have been fixed in version 6.0.3.
The developer also provides new patched releases for all versions since 3.7.