WordPress 5.0-5.2.2 - Authenticated Stored XSS in Shortcode Previews



Description
According to the WordPress release notes:

"Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a vulnerability for cross-site scripting (XSS) in shortcode previews."

Affects WordPresses

fixed in version 5.2.3
fixed in version 5.2.3
fixed in version 5.2.3
fixed in version 5.1.2
fixed in version 5.1.2
fixed in version 5.0.6
fixed in version 5.0.6
fixed in version 5.0.6
fixed in version 5.0.6
fixed in version 5.0.6

References

CVE 2019-16219
URL https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
URL https://fortiguard.com/zeroday/FG-VD-18-165
URL https://www.fortinet.com/blog/threat-research/wordpress-core-stored-xss-vulnerability.html

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Zhouyuan Yang of Fortinet’s FortiGuard Labs
Submitter Ryan Dewhurst
Views 22701
Verified No
WPVDB ID 9864

Timeline

Publicly Published 2019-09-05 (2 months ago)
Added 2019-09-05 (2 months ago)
Last Updated 2019-09-13 (2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin