WordPress <= 5.3 - Stored XSS via Crafted Links

Affects WordPresses

fixed in version 5.3.1
fixed in version 5.2.5
fixed in version 5.2.5
fixed in version 5.2.5
fixed in version 5.2.5
fixed in version 5.2.5
fixed in version 5.1.4
fixed in version 5.1.4
fixed in version 5.1.4
fixed in version 5.1.4
fixed in version 5.0.8
fixed in version 5.0.8
fixed in version 5.0.8
fixed in version 5.0.8
fixed in version 5.0.8
fixed in version 5.0.8
fixed in version 5.0.8
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32

References

CVE 2019-20042
CVE 2019-16773
CVE 2019-16773
URL https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
URL https://hackerone.com/reports/509930
URL https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d
URL https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xvg2-m2f4-83m7

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Simon Scannell (RIPS)
Views 120961
Verified No
WPVDB ID 9975

Timeline

Publicly Published 2019-12-13 (about 1 month ago)
Added 2019-12-13 (about 1 month ago)
Last Updated 2020-01-10 (12 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin