CVE-2019-20042

CVSS V2 Medium 4.3 CVSS V3 Medium 6.1
Description
In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.
Overview
  • CVE ID
  • CVE-2019-20042
  • Assigner
  • cve@mitre.org
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2019-12-27T08:15:09
  • Last Modified Date
  • 2023-01-19T03:13:05
Weakness Enumerations
CWE URL
CWE-79 http://cwe.mitre.org/data/definitions/79.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* 1 OR 5.3.1
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:M/Au:N/C:N/I:P/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • MEDIUM
  • Authentication
  • NONE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • NONE
  • Base Score
  • 4.3
  • Severity
  • MEDIUM
  • Exploitability Score
  • 8.6
  • Impact Score
  • 2.9
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • NONE
  • User Interaction
  • REQUIRED
  • Scope
  • CHANGED
  • Confidentiality Impact
  • LOW
  • Availability Impact
  • NONE
  • Base Score
  • 6.1
  • Base Severity
  • MEDIUM
  • Exploitability Score
  • 2.8
  • Impact Score
  • 2.7
References
Reference URL Reference Tags
https://blog.ripstech.com/filter/vulnerabilities/ Not Applicable
https://core.trac.wordpress.org/changeset/46894/trunk Patch
https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ Release Notes Vendor Advisory
https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d Patch
https://wpvulndb.com/vulnerabilities/9975 Release Notes Third Party Advisory
https://www.debian.org/security/2020/dsa-4599
https://seclists.org/bugtraq/2020/Jan/8
https://hackerone.com/reports/509930
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xvg2-m2f4-83m7
https://www.debian.org/security/2020/dsa-4677
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2019-20042
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20042
History
Created Old Value New Value Data Type Notes
2022-05-10 16:54:01 Added to TrackCVE
2022-12-04 08:40:41 2019-12-27T08:15Z 2019-12-27T08:15:09 CVE Published Date updated
2022-12-04 08:40:41 2020-01-10T22:15:11 CVE Modified Date updated
2022-12-04 08:40:41 Undergoing Analysis Vulnerability Status updated
2023-01-19 04:10:58 2023-01-19T03:13:05 CVE Modified Date updated
2023-01-19 04:10:58 Undergoing Analysis Analyzed Vulnerability Status updated