WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass



Description
A JavaScript payload such as "javascript&colon;alert(1)" in a URL could cause a Cross-Site Scripting (XSS) vulnerability.

According to the commit message (see references):

"`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function."
Proof of Concept
javascript&colon;alert(1)

Affects WordPresses

fixed in version 5.3.1
fixed in version 5.2.5
fixed in version 5.2.5
fixed in version 5.2.5
fixed in version 5.2.5
fixed in version 5.2.5
fixed in version 5.1.4
fixed in version 5.1.4
fixed in version 5.1.4
fixed in version 5.1.4
fixed in version 5.0.8
fixed in version 5.0.8
fixed in version 5.0.8
fixed in version 5.0.8
fixed in version 5.0.8
fixed in version 5.0.8
fixed in version 5.0.8
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32

References

CVE 2019-20041
URL https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
URL https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher WordPress.org Security Team
Views 141643
Verified No
WPVDB ID 10004

Timeline

Publicly Published 2019-12-13 (3 months ago)
Added 2020-01-04 (about 2 months ago)
Last Updated 2020-01-05 (about 2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin