WordPress5.4: 2 vulnerabilities (highest severity is: 5.4)

[mend-bolt-for-github[bot]]

Vulnerable Library - WordPress5.4

WordPress, Git-ified. Synced via SVN every 15 minutes, including branches and tags! This repository is just a mirror of the WordPress subversion repository. Please do not send pull requests. Submit patches to https://core.trac.wordpress.org/ instead.

Library home page: https://github.com/WordPress/WordPress.git

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Vulnerable Source Files (1)

/ctf-spring2022/www/wp-includes/js/wp-embed.min.js

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (WordPress5.4 version)	Remediation Possible**
WS-2023-0152	Medium	5.4	detected in multiple dependencies	Direct	4.1.38,4.2.35,4.3.31,4.4.30,4.5.29,4.6.26,4.7.26,4.8.22,4.9.23,5.0.19,5.1.16,5.2.18,5.3.15,5.4.13,5.5.12,5.6.11,5.7.9,5.8.7,5.9.6,6.0.4,6.1.2,6.2.1	❌
CVE-2020-28040	Medium	4.3	detected in multiple dependencies	Direct	5.5.2	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2023-0152

### Vulnerable Libraries - WordPress5.4, WordPress5.4

### Vulnerability Details

WordPress prior to 6.2.1 does not validate the protocol when processing oEmbed discovery, which could allow users with the Contributor role and above to perform Stored Cross-Site Scripting attacks.

Publish Date: 2023-05-16

URL: WS-2023-0152

### CVSS 3 Score Details (5.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://wpscan.com/vulnerability/3b574451-2852-4789-bc19-d5cc39948db5

Release Date: 2023-05-16

Fix Resolution: 4.1.38,4.2.35,4.3.31,4.4.30,4.5.29,4.6.26,4.7.26,4.8.22,4.9.23,5.0.19,5.1.16,5.2.18,5.3.15,5.4.13,5.5.12,5.6.11,5.7.9,5.8.7,5.9.6,6.0.4,6.1.2,6.2.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2020-28040

### Vulnerable Libraries - WordPress5.4, WordPress5.4, WordPress5.4, WordPress5.4

### Vulnerability Details

WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.

Publish Date: 2020-10-31

URL: CVE-2020-28040

### CVSS 3 Score Details (4.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/

Release Date: 2020-10-31

Fix Resolution: 5.5.2

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

[mend-bolt-for-github[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github[bot]]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.