CVE-2024-4439

NameCVE-2024-4439
DescriptionWordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1069091

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
wordpress (PTS)bullseye (security), bullseye5.7.11+dfsg1-0+deb11u1fixed
bookworm, bookworm (security)6.1.6+dfsg1-0+deb12u1vulnerable
sid, trixie6.6.1+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
wordpresssourcebullseye(not affected)
wordpresssource(unstable)6.5.2+dfsg1-11069091

Notes

[bullseye] - wordpress <not-affected> (The vulnerable code was introduced later)
https://wpscan.com/blog/unauthenticated-stored-xss-fixed-in-wordpress-core/
https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/
https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=57950%40%2F&new=57950%40%2F&sfp_email=&sfph_mail=#file3
https://core.trac.wordpress.org/changeset/57951/branches/6.4/src/wp-includes/blocks/avatar.php
Search for package or bug name: Reporting problems