The Gutenberg plugin through 13.7.3 for WordPress allows stored XSS by the Contributor role via an SVG document to the "Insert from URL" feature. NOTE: the XSS payload does not execute in the context of the WordPress instance's domain; however, analogous attempts by low-privileged users to reference SVG documents are blocked by some similar products, and this behavioral difference might have security relevance to some WordPress site administrators.
Published 2022-07-30 20:15:08
Updated 2022-08-16 14:09:13
Source MITRE
View at NVD,   CVE.org
Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2022-33994

Exploit prediction scoring system (EPSS) score for CVE-2022-33994

0.05%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 18 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-33994

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
3.0
LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
1.3
1.4
NIST

CWE ids for CVE-2022-33994

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!