CVE-2021-39201 - WordPress Core
CVE-2021-39201
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress)
CVE-2021-39201
HIGH
CVSS 7.6
Published 2021-09-09
Updated 2024-11-21
AI Risk Critical (100/100)
Active Exploit: Likely
Published Exploit: Public exploit references found
Priority: P1 Immediate
Severity Band
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Affected Components
1
Reference Links
3
AI Risk Engine
Critical (100/100)
Exploitability
High
Active Exploitation
Likely
Published Exploit Status
Public exploit references found
AI Context
Machine-generated threat intelligence
AI
Updated 6 days ago
AI enriched 6 days ago (2026-04-11 00:41 UTC)
Technical Summary
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you…
Potential Impact
Severity is HIGH (CVSS 7.6). Depending on deployment context, affected components may be exposed to unauthorized actions or data integrity risk.
Exploitability Assessment
Exploitability is assessed as High based on published exploit references, remote code execution potential.
Primary risk drivers: published exploit references, remote code execution potential
Mitigation Recommendations
Validate affected product versions, prioritize patching, and monitor references for vendor remediation guidance. If immediate patching is not possible, apply compensating controls and limit exposure of vulnerable surfaces.
Detection & Monitoring
Track authentication anomalies, unexpected file writes, and suspicious plugin API activity around affected components.
Business Impact Lens
AI risk score 100/100 (Critical, High) with priority P1 Immediate. Prioritize remediation where affected components process customer data, admin sessions, or Internet-exposed workflows.
