Description
In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
Remediation
References
Related Vulnerabilities
MODX Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-8775)
Jboss EAP Cryptographic Issues Vulnerability (CVE-2014-0035)
Django URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2018-14574)
WordPress 3.8.x Multiple Vulnerabilities (3.8 - 3.8.29)
Moodle Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2024-25983)