CVE-2022-4973 - Vulnerability Details

CVE-2022-4973 - WordPress Core < 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via use of the_meta(); function

WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Wordpress	Wordpress

Configuration 1 [-]

cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://core.trac.wordpress.org/changeset/53961
https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
https://www.wordfence.com/blog/2022/08/wordpress-core-6-0-2-security-maintenance-release-what-you-need-to-know/
https://www.wordfence.com/threat-intel/vulnerabilities/id/b5582e89-83e6-4898-b9fe-09eddeb5f7ae?source=cve

History

Sat, 12 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.0028}`	epss `{'score': 0.00312}`

Wed, 30 Oct 2024 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
CPEs		cpe:2.3:a:wordpress:wordpress::::::::
Vendors & Products		Wordpress Wordpress wordpress

Wed, 16 Oct 2024 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 16 Oct 2024 07:00:00 +0000

Type	Values Removed	Values Added
Description		WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.
Title		WordPress Core < 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via use of the_meta(); function
Weaknesses		CWE-79
References		https://core.trac.wordpress.org/changeset/53961 https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/ https://www.wordfence.com/blog/2022/08/wordpress-core-6-0-2-security-maintenance-release-what-you-need-to-know/ https://www.wordfence.com/threat-intel/vulnerabilities/id/b5582e89-83e6-4898-b9fe-09eddeb5f7ae?source=cve
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-10-16T06:43:41.734Z

Updated: 2024-10-16T12:59:35.321Z

Reserved: 2024-10-15T18:03:44.130Z

Link: CVE-2022-4973

Vulnrichment

Updated: 2024-10-16T12:59:21.134Z

NVD

Status : Analyzed

Published: 2024-10-16T07:15:12.497

Modified: 2024-10-30T15:58:30.907

Link: CVE-2022-4973

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object