vulnerability
Wordpress: CVE-2020-4046: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:S/C:N/I:P/A:N) | Jun 12, 2020 | Aug 12, 2020 | Aug 11, 2025 |
Severity
4
CVSS
(AV:N/AC:M/Au:S/C:N/I:P/A:N)
Published
Jun 12, 2020
Added
Aug 12, 2020
Modified
Aug 11, 2025
Description
In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
Solutions
wordpress-upgrade-3_7_34wordpress-upgrade-3_8_34wordpress-upgrade-3_9_32wordpress-upgrade-4_0_31wordpress-upgrade-4_1_31wordpress-upgrade-4_2_28wordpress-upgrade-4_3_24wordpress-upgrade-4_4_23wordpress-upgrade-4_5_22wordpress-upgrade-4_6_19wordpress-upgrade-4_7_18wordpress-upgrade-4_8_14wordpress-upgrade-4_9_15wordpress-upgrade-5_0_10wordpress-upgrade-5_1_6wordpress-upgrade-5_2_7wordpress-upgrade-5_3_4wordpress-upgrade-5_4_2
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.