CVE-2024-4439
Published: 03 May 2024
Summary
CVE-2024-4439 is a high-severity Basic XSS (CWE-80) vulnerability in Wordpress Wordpress. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
WordPress Core contains a stored cross-site scripting vulnerability in the Avatar block that affects versions through 6.5.2. The flaw stems from insufficient output escaping of user display names, allowing malicious script content to be persisted and later rendered when pages containing the block are viewed. The issue is tracked as CWE-80 and carries a CVSS 3.1 score of 7.2.
Authenticated users with contributor-level access or higher can exploit the weakness by setting a crafted display name that is stored and executed in the context of other visitors. Unauthenticated attackers can achieve the same outcome on any page that includes the comment block and displays the comment author’s avatar, resulting in arbitrary script execution with a scope that crosses security boundaries.
The WordPress 6.5.2 maintenance and security release addresses the issue through changesets that add proper escaping in the avatar block implementation. Administrators are advised to update immediately; the referenced Wordfence analysis and core Trac entries provide the specific code diffs applied to the 6.4 and main branches.
EPSS values have remained elevated, with a current score of 0.9058 and a recorded peak of 0.9206, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-44058
Vulnerability details
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level…
more
access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.