Impact
The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post unfiltered_html.
Patches
This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix.
References
https://wordpress.org/news/category/releases/
https://hackerone.com/reports/1142140
For more information
If you have any questions or comments about this advisory:
Impact
The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post
unfiltered_html.Patches
This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix.
References
https://wordpress.org/news/category/releases/
https://hackerone.com/reports/1142140
For more information
If you have any questions or comments about this advisory: