CVE-2022-4973
WordPress Core < 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via use of the_meta(); function
CVSS Score
4.9
EPSS Score
0.0%
EPSS Percentile
0th
WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.
| CWE | CWE-79 |
| Vendor | wordpress foundation |
| Product | wordpress |
| Ecosystems | |
| Industries | WebMedia |
| Published | Oct 16, 2024 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for wordpress foundation wordpress
Be the first to know when new medium vulnerabilities affecting wordpress foundation wordpress are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
WordPress Foundation / WordPress
0 ≤ 3.6.1 3.7 ≤ 3.7.38 3.8 ≤ 3.8.38 3.9 ≤ 3.9.36 4.0 ≤ 4.0.35 4.1 ≤ 4.1.35 4.2 ≤ 4.2.32 4.3 ≤ 4.3.28 4.4 ≤ 4.4.27 4.5 ≤ 4.5.26 4.6 ≤ 4.6.23 4.7 ≤ 4.7.23 4.8 ≤ 4.8.19 4.9 ≤ 4.9.20 5.0 ≤ 5.0.16 5.1 ≤ 5.1.13 5.2 ≤ 5.2.15 5.3 ≤ 5.3.12 5.4 ≤ 5.4.10 5.5 ≤ 5.5.9 5.6 ≤ 5.6.8 5.7 ≤ 5.7.6 5.8 ≤ 5.8.4 5.9 ≤ 5.9.3 6.0 ≤ 6.0.1
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/b5582e89-83e6-4898-b9fe-09eddeb5f7ae?source=cve core.trac.wordpress.org: https://core.trac.wordpress.org/changeset/53961 wordpress.org: https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/ wordfence.com: https://www.wordfence.com/blog/2022/08/wordpress-core-6-0-2-security-maintenance-release-what-you-need-to-know/
Credits
John Blackbourn