CVE-2022-4973

Description

WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.

How to fix CVE-2022-4973

To remediate CVE-2022-4973, upgrade the affected package to a fixed version below.

—upgrade to 3.6.2 or later
—upgrade to 3.6.2 or later
—upgrade to 5.7.8+dfsg1-0+deb11u1 or later

Is CVE-2022-4973 being exploited?

Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 3.6.2, >= 3.7.0, < 3.7.39, >= 3.8.0, < 3.8.39, >= 3.9.0, < 3.9.37, >= 4.0.0, < 4.0.36, >= 4.1.0, < 4.1.36, >= 4.2.0, < 4.2.33, >= 4.3.0, < 4.3.29, >= 4.4.0, < 4.4.28, >= 4.5.0, < 4.5.27, >= 4.6.0, < 4.6.24, >= 4.7.0, < 4.7.24, >= 4.8.0, < 4.8.20, >= 4.9.0, < 4.9.21, >= 5.0.0, < 5.0.17, >= 5.1.0, < 5.1.14, >= 5.2.0, < 5.2.16, >= 5.3.0, < 5.3.13, >= 5.4.0, < 5.4.11, >= 5.5.0, < 5.5.10, >= 5.6.0, < 5.6.9, >= 5.7.0, < 5.7.7, >= 5.8.0, < 5.8.5, >= 5.9.0, < 5.9.4, >= 6.0.0, < 6.0.2
from 0, < 3.6.2, >= 3.7.0, < 3.7.39, >= 3.8.0, < 3.8.39, >= 3.9.0, < 3.9.37, >= 4.0.0, < 4.0.36, >= 4.1.0, < 4.1.36, >= 4.2.0, < 4.2.33, >= 4.3.0, < 4.3.29, >= 4.4.0, < 4.4.28, >= 4.5.0, < 4.5.27, >= 4.6.0, < 4.6.24, >= 4.7.0, < 4.7.24, >= 4.8.0, < 4.8.20, >= 4.9.0, < 4.9.21, >= 5.0.0, < 5.0.17, >= 5.1.0, < 5.1.14, >= 5.2.0, < 5.2.16, >= 5.3.0, < 5.3.13, >= 5.4.0, < 5.4.11, >= 5.5.0, < 5.5.10, >= 5.6.0, < 5.6.9, >= 5.7.0, < 5.7.7, >= 5.8.0, < 5.8.5, >= 5.9.0, < 5.9.4, >= 6.0.0, < 6.0.2
from 0, < 5.7.8+dfsg1-0+deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N