WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins



Description
According to WordPress:

"Tim Coen also discovered that specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. WordPress itself was not affected, but plugins could be in some situations."

Affects WordPresses

fixed in version 5.0.1
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28

References

CVE 2018-20150
URL https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
URL https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Tim Coen
Submitter Ryan Dewhurst
Submitter Website https://dewhurstsecurity.com/
Submitter Twitter ethicalhack3r
Views 19530
Verified No
WPVDB ID 9173

Timeline

Publicly Published 2018-12-13 (9 months ago)
Added 2018-12-13 (9 months ago)
Last Updated 2019-01-10 (8 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin