CVE Vulnerability

CVE-2022-33994

The Gutenberg plugin through 13.7.3 for WordPress allows stored XSS by the Contributor role via an SVG document to the "Insert from URL" feature. NOTE: the XSS payload does not execute in the context of the WordPress instance's domain; however, analogous attempts by low-privileged users to reference SVG documents are blocked by some similar products, and this behavioral difference might have security relevance to some WordPress site administrators.

3 /10

CVSS v3.0 : LOW

V3 Legend

Vector :

Exploitability : 1.3 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://blog.jitendrapatro.me/cve-2022-33994-stored-xss-in-wordpress/ Third Party Advisory
https://patchstack.com/articles/patchstack-weekly-svg-xss-reported-in-gutenberg/ Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:gutenberg_project:gutenberg:*:*:*:*:*:wordpress:*:*
Information

Published : 2022-07-30 08:15

Updated : 2022-08-16 02:09

NVD link : CVE-2022-33994

Mitre link : CVE-2022-33994

Products Affected
No products.
CWE
CWE-79