WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)



Description
According to WordPress:

"Tim Coen discovered that contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability."

Affects WordPresses

fixed in version 5.0.1
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28

References

CVE 2018-20153
URL https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Tim Coen
Submitter Ryan Dewhurst
Submitter Website https://dewhurstsecurity.com/
Submitter Twitter ethicalhack3r
Views 20092
Verified No
WPVDB ID 9172

Timeline

Publicly Published 2018-12-13 (9 months ago)
Added 2018-12-13 (9 months ago)
Last Updated 2019-01-10 (8 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin