WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor



Description
A cross-site scripting (XSS) vulnerability was discovered in the visual editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.

Affects WordPresses

fixed in version 4.8.2
fixed in version 4.8.2
fixed in version 4.7.6
fixed in version 4.7.6
fixed in version 4.7.6
fixed in version 4.7.6
fixed in version 4.7.6
fixed in version 4.7.6
fixed in version 4.6.7
fixed in version 4.6.7
fixed in version 4.6.7
fixed in version 4.6.7
fixed in version 4.6.7
fixed in version 4.6.7
fixed in version 4.6.7
fixed in version 4.5.10
fixed in version 4.5.10
fixed in version 4.5.10
fixed in version 4.5.10
fixed in version 4.5.10
fixed in version 4.5.10
fixed in version 4.5.10
fixed in version 4.5.10
fixed in version 4.5.10
fixed in version 4.5.10
fixed in version 4.4.11
fixed in version 4.4.11
fixed in version 4.4.11
fixed in version 4.4.11
fixed in version 4.4.11
fixed in version 4.4.11
fixed in version 4.4.11
fixed in version 4.4.11
fixed in version 4.4.11
fixed in version 4.4.11
fixed in version 4.4.11
fixed in version 4.3.12
fixed in version 4.3.12
fixed in version 4.3.12
fixed in version 4.3.12
fixed in version 4.3.12
fixed in version 4.3.12
fixed in version 4.3.12
fixed in version 4.3.12
fixed in version 4.3.12
fixed in version 4.3.12
fixed in version 4.3.12
fixed in version 4.3.12
fixed in version 4.2.16
fixed in version 4.2.16
fixed in version 4.2.16
fixed in version 4.2.16
fixed in version 4.2.16
fixed in version 4.2.16
fixed in version 4.2.16
fixed in version 4.2.16
fixed in version 4.2.16
fixed in version 4.2.16
fixed in version 4.2.16
fixed in version 4.2.16
fixed in version 4.2.16

References

CVE 2017-14726
URL https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
URL https://core.trac.wordpress.org/changeset/41395
URL https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter Rodolfo Assis
Submitter Twitter brutelogic
Views 7249
Verified No
WPVDB ID 8914

Timeline

Publicly Published 2017-09-19 (about 2 years ago)
Added 2017-09-27 (about 2 years ago)
Last Updated 2018-08-29 (about 1 year ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin