vulnerability

WordPress Plugin: gutenberg: CVE-2022-43500: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:S/C:P/I:P/A:N)	Oct 18, 2022	May 15, 2025	Jul 10, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:P/A:N)

Published

Oct 18, 2022

Added

May 15, 2025

Modified

Jul 10, 2025

Description

WordPress Core in versions up to 6.0.3 and the Gutenberg plugin for WordPress in versions up to 14.3.1 are vulnerable to Stored Cross-Site Scripting due to insufficient output escaping on user supplied input. The RSS widget, Search Block, Featured Image Block, RSS Block, and Navigation Block are all affected components. This makes it possible for authenticated users with access to the block editor to inject malicious web scripts that may execute whenever accessing the page.

Solution

gutenberg-plugin-cve-2022-43500

References

URL-https://www.cve.org/CVERecord?id=CVE-2022-43500
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/438fbd3f-052b-4a6d-acd2-233a93d56cbb?source=api-prod
CVE-2022-43500
https://attackerkb.com/topics/CVE-2022-43500
CWE-79

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today