CVE-2021-39201: 
NixOS vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in WordPress versions 5.4 to 5.8, identified as CVE-2021-39201. The vulnerability was discovered by Michał Bentkowski of Securitum and publicly disclosed on September 9, 2021. The issue affects the WordPress block editor and impacts multiple WordPress versions from 5.4 through 5.8 (WordPress Advisory, WPScan).

The vulnerability is classified as an authenticated cross-site scripting (XSS) issue in the WordPress block editor. It has been assigned a CVSS score of 5.4 (medium severity) and is categorized under CWE-79. The vulnerability allows authenticated users with low-level privileges (such as contributors or authors) to execute XSS attacks in the editor, effectively bypassing the restrictions normally imposed on users who lack the unfiltered_html permission (WPScan).

When exploited, this vulnerability enables authenticated users with low-level privileges to execute cross-site scripting attacks through the block editor. The impact is particularly significant as it bypasses WordPress's built-in security restrictions for users without unfiltered_html permissions, potentially allowing malicious users to inject and execute unauthorized HTML and scripts (WordPress Advisory).

WordPress addressed this vulnerability by releasing security updates across multiple versions. WordPress 5.8.1 contains the fix for version 5.8, while older versions received corresponding security updates: 5.7.3 for the 5.7.x branch, 5.6.5 for the 5.6.x branch, 5.5.6 for the 5.5.x branch, and 5.4.7 for the 5.4.x branch. Users are strongly recommended to keep auto-updates enabled to receive these security fixes (WordPress Advisory, WPScan).