Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2021-39201

HIGH
Published 2021-09-09T21:35:08
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2021-39201. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
7.6
/10
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.004
probability
of exploitation in the wild

There is a 0.4% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.617
Higher than 61.7% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED

Impact Metrics

Confidentiality
HIGH
Integrity
LOW
Availability
NONE

Description

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress)

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

WordPress

wordpress-develop

Affected Versions:

>= 5.0, < 5.8.0

WordPress Vulnerability

Identified and analyzed by Wordfence

Software Type

Core

Patch Status

Patched

Published

September 9, 2021

Software Details

Software Name

WordPress

Software Slug

wordpress

Affected Versions

[5.4, 5.4.7) [5.5, 5.5.6) [5.6, 5.6.5) [5.7, 5.7.3) [5.8, 5.8.1)

Patched Versions

5.4.7 5.5.6 5.6.5 5.7.3 5.8.1

Remediation

Update to one of the following versions, or a newer patched version: 5.4.7, 5.5.6, 5.6.5, 5.7.3, 5.8.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/b801e7d9-0ca0-471e-a524-af19ea0d85be?source=api-prod

© Defiant Inc. Data provided by Wordfence.

References

https://hackerone.com/reports/1142140
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-wh69-25hr-h94v
https://www.debian.org/security/2021/dsa-4985
Published: 2021-09-09T21:35:08
Last Modified: 2024-08-04T01:58:18.168Z
Copied to clipboard!