via pluginvulnerabilities.com => original post link
Recently there have been conversations popping up over a claim made by the WordPress security provider Wordfence that claims the Gutenberg plugin contains an authenticated persistent cross-site scripting (XSS) vulnerability. On Reddit there were a couple of recent conversations, where unsurprisingly, there wasn’t helpful information being provided. Things have been slightly better on the WordPress support forum for the plugin, but still you had alarmist information. One topic is titled, “Security breach and vulnerability in all versions.” Wordfence in turn, is citing Patchstack when making this claim. The reality is that there isn’t a vulnerability, something the WordPress security team told the original source of the claim, but which Wordfence and Patchstack have ignored.
While Wordfence and Patchstack are both claiming that this is an issue with the Gutenberg plugin, that isn’t what the original source they are citing says. Their post is titled
“CVE-2022-33994:- Stored XSS in WordPress” and they start it this way: [Read more]