VDB
CVE-2019-16781
CVE-2019-16781
PUBLISHED
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.
EPSS 3.49% · 87.8th percentile
Risk Scores
EPSS Score
3.49%
87.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | wordpress | *, 0, 4.8.2+dfsg-2 |
| Ubuntu:16.04:LTS | wordpress | 0, 4.3+dfsg-1, 4.3.1+dfsg-1 |
Exploit Intelligence
- https://wpvulndb.com/vulnerabilities/9976 (circl)
- https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ (circl)
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v (circl)
- 20200108 [SECURITY] [DSA 4599-1] wordpress security update (circl)
- DSA-4599 (circl)
- DSA-4677 (circl)
- https://hackerone.com/reports/731301 (canonical)
Timeline
- Dec 26, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Aug 5, 2024 CVE Updated
- Mar 17, 2025 EPSS Score
- Mar 24, 2025 EPSS Score
- Mar 29, 2025 EPSS Score
- Mar 30, 2025 EPSS Score
- May 4, 2025 EPSS Score
- Jun 1, 2025 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-16781 third-party-advisory
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v third-party-advisory
- https://hackerone.com/reports/731301 third-party-advisory
- https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ third-party-advisory
- https://wpvulndb.com/vulnerabilities/9976 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-16781 third-party-advisory