NVD Vulnerability Detail

CVE-2019-16780

Summary	WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.
Publication Date	Dec. 27, 2019, 2:15 a.m.
Registration Date	Jan. 26, 2021, 11:40 a.m.
Last Update	Nov. 21, 2024, 1:31 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	https://github.com/WordPress/wordpress-develop/commit/505dd6a20b6fc3d06130018c1caeff764248c29e	Patch Third Party Advisory
2	https://github.com/WordPress/wordpress-develop/commit/505dd6a20b6fc3d06130018c1caeff764248c29e	Patch Third Party Advisory
3	https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-x3wp-h3qx-9w94	Third Party Advisory
4	https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-x3wp-h3qx-9w94	Third Party Advisory
5	https://hackerone.com/reports/738644	Permissions Required Third Party Advisory
6	https://hackerone.com/reports/738644	Permissions Required Third Party Advisory
7	https://seclists.org/bugtraq/2020/Jan/8	Mailing List Third Party Advisory
8	https://seclists.org/bugtraq/2020/Jan/8	Mailing List Third Party Advisory
9	https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/	Release Notes Third Party Advisory
10	https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/	Release Notes Third Party Advisory
11	https://wpvulndb.com/vulnerabilities/9976	Third Party Advisory
12	https://wpvulndb.com/vulnerabilities/9976	Third Party Advisory
13	https://www.debian.org/security/2020/dsa-4599	Third Party Advisory
14	https://www.debian.org/security/2020/dsa-4599	Third Party Advisory
15	https://www.debian.org/security/2020/dsa-4677	Third Party Advisory
16	https://www.debian.org/security/2020/dsa-4677	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

JVN Vulnerability Information

WordPress におけるクロスサイトスクリプティングの脆弱性

Title	WordPress におけるクロスサイトスクリプティングの脆弱性
Summary	WordPress には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	低い権限を持つ認証されたユーザにより、ダッシュボード内で実行される特定のペイロードを使用してブロックエディタに JavaScript コードを挿入されることで、管理者に対してクロスサイトスクリプティング攻撃を実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 13, 2019, midnight
Registration Date	Jan. 9, 2020, 2:56 p.m.
Last Update	Jan. 9, 2020, 2:56 p.m.

Affected System

WordPress.org

WordPress 3.7 から 5.3

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2019-16780	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16780
National Vulnerability Database (NVD)
2	CVE-2019-16780	https://nvd.nist.gov/vuln/detail/CVE-2019-16780

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
GitHub
1	Prevent stored XSS in the block editor.	https://github.com/WordPress/wordpress-develop/commit/505dd6a20b6fc3d06130018c1caeff764248c29e
2	Stored cross-site scripting (XSS) in WordPress block editor	https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-x3wp-h3qx-9w94
WordPress Blog
3	WordPress 5.3.1 Security and Maintenance Release	https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

Change Log

No	Changed Details	Date of change
1	[2020年01月09日] 掲載	Jan. 9, 2020, 2:56 p.m.