Authenticated XSS via media attachment page in WordPress

In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)

WordPress 安全漏洞

WordPress是WordPress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 WordPress中存在安全漏洞。攻击者可利用该漏洞在某些媒体文件附件页面注入JavaScript代码，执行脚本。以下产品及版本受到影响：WordPress 5.3.4版本，5.2.7版本，5.1.6版本，5.0.10版本，4.9.15版本，4.8.14版本，4.7.18， 4.6.19版本，4.5.22版本，4.4.23版本，4.3.24版本，4.2.28版本，4.

N/A

N/A