| VID |
22933 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
WordPress versions 5.3.0 and earlier are affected by the following vulnerabilities:
- Two cross-site scripting (XSS) vulnerabilities exist due to improper validation of user-supplied input.
An unauthenticated, remote attacker can exploit these, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session.
- A remote, authenticated, unprivileged user can make a post sticky via the REST API.
- wp_kses_bad_protcol() has been hardened to ensure that it is aware of the named colon attribute.
* References:
https://wordpress.org/support/wordpress-version/version-5-3-1/
* Platforms Affected:
WordPress prior to 5.3.1
Any operating system Any version |
| Recommendation |
Upgrade to the version (5.3.1 or later) fixed this vulnerability, available from the WordPress Download Web page at http://wordpress.org/download/ |
| Related URL |
CVE-2019-20042 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
