VDB
CVE-2019-16780
CVE-2019-16780
PUBLISHED
WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.
EPSS 3.61% · 88.0th percentile
Risk Scores
EPSS Score
3.61%
88.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | wordpress | 4.3+dfsg-1, 4.3.1+dfsg-1, 4.4+dfsg-1 |
| Ubuntu:18.04:LTS | wordpress | 0, 4.8.3+dfsg-1, 4.9.2+dfsg-1 |
Exploit Intelligence
- https://wpvulndb.com/vulnerabilities/9976 (circl)
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-x3wp-h3qx-9w94 (circl)
- https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ (circl)
- https://github.com/WordPress/wordpress-develop/commit/505dd6a20b6fc3d06130018c1caeff764248c29e (circl)
- 20200108 [SECURITY] [DSA 4599-1] wordpress security update (circl)
- DSA-4599 (circl)
- DSA-4677 (circl)
- https://hackerone.com/reports/738644 (canonical)
Timeline
- Dec 26, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Aug 5, 2024 CVE Updated
- Mar 17, 2025 EPSS Score
- Mar 24, 2025 EPSS Score
- Mar 29, 2025 EPSS Score
- Mar 30, 2025 EPSS Score
- May 4, 2025 EPSS Score
- Jun 1, 2025 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-16780 third-party-advisory
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-x3wp-h3qx-9w94 third-party-advisory
- https://github.com/WordPress/wordpress-develop/commit/505dd6a20b6fc3d06130018c1caeff764248c29e third-party-advisory
- https://hackerone.com/reports/738644 third-party-advisory
- https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ third-party-advisory
- https://wpvulndb.com/vulnerabilities/9976 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-16780 third-party-advisory