Search for vulnerabilities
| Vulnerability ID | VCID-27gf-s9nc-9qgy |
| Aliases |
CVE-2021-39201
|
| Summary | WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress) |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 4.9 |
| Risk | 2.5 |
| Affected and Fixed Packages | Package Details |
| There are no known CWE. |
| Reference id | Reference type | URL |
|---|---|---|
| https://api.first.org/data/v1/epss?cve=CVE-2021-39201 | ||
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39201 | ||
| https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-wh69-25hr-h94v | ||
| https://hackerone.com/reports/1142140 | ||
| https://www.debian.org/security/2021/dsa-4985 | ||
| 994059 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994059 | |
| cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* | https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* | |
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | |
| cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* | https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* | |
| CVE-2021-39201 | https://nvd.nist.gov/vuln/detail/CVE-2021-39201 |
| Exploitability (E) | Access Vector (AV) | Access Complexity (AC) | Authentication (Au) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|
high functional unproven proof_of_concept not_defined |
local adjacent_network network |
high medium low |
multiple single none |
none partial complete |
none partial complete |
none partial complete |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Percentile | 0.43799 |
| EPSS Score | 0.0021 |
| Published At | Aug. 1, 2025, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2025-07-31T12:20:52.082908+00:00 | EPSS Importer | Import | https://epss.cyentia.com/epss_scores-current.csv.gz | 37.0.0 |