{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-31111","assignerOrgId":"21595511-bba5-4825-b968-b78d1f9984a3","state":"PUBLISHED","assignerShortName":"Patchstack","dateReserved":"2024-03-28T06:58:01.377Z","datePublished":"2024-06-25T12:54:47.977Z","dateUpdated":"2026-04-28T16:09:28.063Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"WordPress","vendor":"Automattic","versions":[{"changes":[{"at":"6.5.5","status":"unaffected"}],"lessThanOrEqual":"6.5.4","status":"affected","version":"6.5","versionType":"custom"},{"changes":[{"at":"6.4.5","status":"unaffected"}],"lessThanOrEqual":"6.4.4","status":"affected","version":"6.4","versionType":"custom"},{"changes":[{"at":"6.3.5","status":"unaffected"}],"lessThanOrEqual":"6.3.4","status":"affected","version":"6.3","versionType":"custom"},{"changes":[{"at":"6.2.6","status":"unaffected"}],"lessThanOrEqual":"6.2.5","status":"affected","version":"6.2","versionType":"custom"},{"changes":[{"at":"6.1.7","status":"unaffected"}],"lessThanOrEqual":"6.1.6","status":"affected","version":"6.1","versionType":"custom"},{"changes":[{"at":"6.0.9","status":"unaffected"}],"lessThanOrEqual":"6.0.8","status":"affected","version":"6.0","versionType":"custom"},{"changes":[{"at":"5.9.10","status":"unaffected"}],"lessThanOrEqual":"5.9.9","status":"affected","version":"5.9","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","user":"00000000-0000-4000-9000-000000000000","value":"Rafie Muhammad (Patchstack)"}],"datePublic":"2024-06-25T12:54:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.<p>This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9.</p>"}],"value":"Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9."}],"impacts":[{"capecId":"CAPEC-592","descriptions":[{"lang":"en","value":"CAPEC-592 Stored XSS"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"21595511-bba5-4825-b968-b78d1f9984a3","shortName":"Patchstack","dateUpdated":"2026-04-28T16:09:28.063Z"},"references":[{"tags":["vdb-entry"],"url":"https://patchstack.com/database/vulnerability/wordpress/wordpress-wordpress-core-core-6-5-5-cross-site-scripting-xss-via-template-part-vulnerability?_s_id=cve"},{"tags":["release-notes"],"url":"https://wordpress.org/news/2024/06/wordpress-6-5-5/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Update to safe (6.5.5, 6.4.5, 6.3.5, 6.2.6, 6.1.7, 6.0.9, 5.9.10) or higher version."}],"value":"Update to safe (6.5.5, 6.4.5, 6.3.5, 6.2.6, 6.1.7, 6.0.9, 5.9.10) or higher version."}],"source":{"discovery":"EXTERNAL"},"title":"WordPress Core < 6.5.5 - Cross Site Scripting (XSS) vulnerability","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-06-25T13:49:17.784337Z","id":"CVE-2024-31111","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-25T13:49:38.980Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T01:46:04.672Z"},"title":"CVE Program Container","references":[{"tags":["vdb-entry","x_transferred"],"url":"https://patchstack.com/database/vulnerability/wordpress/wordpress-wordpress-core-core-6-5-5-cross-site-scripting-xss-via-template-part-vulnerability?_s_id=cve"},{"tags":["release-notes","x_transferred"],"url":"https://wordpress.org/news/2024/06/wordpress-6-5-5/"}]}]}}