WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins



Description
According to WordPress:

"Tim Coen also discovered that specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. WordPress itself was not affected, but plugins could be in some situations."

Affects WordPresses

fixed in version 5.0.1
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.9.9
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.8.8
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.7.12
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.6.13
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.5.16
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.4.17
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.3.18
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.2.22
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.1.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 4.0.25
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.9.26
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.8.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28
fixed in version 3.7.28

References

CVE 2018-20150
URL https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
URL https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Tim Coen
Submitter Ryan Dewhurst
Submitter Website https://dewhurstsecurity.com/
Submitter Twitter ethicalhack3r
Views 18561
Verified No
WPVDB ID 9173

Timeline

Publicly Published 2018-12-13 (7 months ago)
Added 2018-12-13 (7 months ago)
Last Updated 2019-01-10 (6 months ago)