QSearchQSearch

CVE-2021-39202

7.6 HIGH

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database

Published: 2021-09-09 · Last updated: 2026-06-17

Severity and scoring

CVSS
7.6 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
CWE
CWE-79

Affected products

VendorProduct
wordpresswordpress

Description

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2021-39203 WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database (6.8 MEDIUM)
  • CVE-2021-39201 WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database (7.6 HIGH)
  • CVE-2021-39200 WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database (5.3 MEDIUM)

Same CWE

  • CVE-2026-12425 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access ...
  • CVE-2024-30476 PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager (5.4 MEDIUM)
  • CVE-2026-54198 Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions (7.1 HIGH)
  • CVE-2026-54191 Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions (7.1 HIGH)
  • CVE-2026-39437 Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions (7.1 HIGH)