WordPress <= 5.3 - Authenticated Stored XSS via Crafted Links



Description
The function wp_targeted_link_rel() can be used in a particular way to result in a Stored Cross-Site Scripting (XSS) vulnerability.
Proof of Concept
<a href="#" title=" target='abc' rel= onmouseover=alert(/XSS/) ">This is a PoC for a Stored XSS</a>

Affects WordPresses

fixed in version 5.3.1
fixed in version 5.2.5
fixed in version 5.2.5
fixed in version 5.2.5
fixed in version 5.2.5
fixed in version 5.2.5
fixed in version 5.1.4
fixed in version 5.1.4
fixed in version 5.1.4
fixed in version 5.1.4
fixed in version 5.0.8
fixed in version 5.0.8
fixed in version 5.0.8
fixed in version 5.0.8
fixed in version 5.0.8
fixed in version 5.0.8
fixed in version 5.0.8
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.9.13
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.8.12
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.7.16
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.6.17
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.5.20
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.4.21
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.3.22
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.2.26
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.1.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 4.0.29
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.9.30
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.8.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32
fixed in version 3.7.32

References

CVE 2019-16773
URL https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
URL https://hackerone.com/reports/509930
URL https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d
URL https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xvg2-m2f4-83m7

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Simon Scannell (RIPS)
Views 219677
Verified No
WPVDB ID 9975

Timeline

Publicly Published 2019-12-13 (6 months ago)
Added 2019-12-13 (6 months ago)
Last Updated 2020-05-01 (28 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin