WordPress 3.4-4.7 – Stored Cross-Site Scripting (XSS) via Theme Name fallback | CVE 2017-5490

Affects WordPress

3.8.1

Fixed in WordPress 3.8.17

3.8

Fixed in WordPress 3.8.17

3.7.1

Fixed in WordPress 3.7.17

3.6

Fixed in WordPress 4.7.1

3.5.2

Fixed in WordPress 4.7.1

3.5.1

Fixed in WordPress 4.7.1

3.5

Fixed in WordPress 4.7.1

3.4.2

Fixed in WordPress 4.7.1

3.4.1

Fixed in WordPress 4.7.1

3.4

Fixed in WordPress 4.7.1

3.6.1

Fixed in WordPress 4.7.1

3.9

Fixed in WordPress 3.9.15

3.9.1

Fixed in WordPress 3.9.15

3.7

Fixed in WordPress 3.7.17

3.8.2

Fixed in WordPress 3.8.17

3.8.3

Fixed in WordPress 3.8.17

3.9.2

Fixed in WordPress 3.9.15

4.0

Fixed in WordPress 4.0.14

4.1

Fixed in WordPress 4.1.14

4.1.1

Fixed in WordPress 4.1.14

4.2

Fixed in WordPress 4.2.11

3.9.3

Fixed in WordPress 3.9.15

4.1.2

Fixed in WordPress 4.1.14

4.2.1

Fixed in WordPress 4.2.11

4.0.1

Fixed in WordPress 4.0.14

4.1.5

Fixed in WordPress 4.1.14

4.1.4

Fixed in WordPress 4.1.14

4.1.3

Fixed in WordPress 4.1.14

3.8.4

Fixed in WordPress 3.8.17

3.7.4

Fixed in WordPress 3.7.17

4.2.3

Fixed in WordPress 4.2.11

3.8.8

Fixed in WordPress 3.8.17

3.8.5

Fixed in WordPress 3.8.17

3.8.6

Fixed in WordPress 3.8.17

3.8.7

Fixed in WordPress 3.8.17

3.7.2

Fixed in WordPress 3.7.17

3.7.3

Fixed in WordPress 3.7.17

3.7.5

Fixed in WordPress 3.7.17

3.7.6

Fixed in WordPress 3.7.17

3.7.7

Fixed in WordPress 3.7.17

3.7.8

Fixed in WordPress 3.7.17

3.7.9

Fixed in WordPress 3.7.17

3.8.9

Fixed in WordPress 3.8.17

3.9.4

Fixed in WordPress 3.9.15

3.9.5

Fixed in WordPress 3.9.15

3.9.6

Fixed in WordPress 3.9.15

3.9.7

Fixed in WordPress 3.9.15

4.0.2

Fixed in WordPress 4.0.14

4.0.3

Fixed in WordPress 4.0.14

4.0.4

Fixed in WordPress 4.0.14

4.0.5

Fixed in WordPress 4.0.14

4.0.6

Fixed in WordPress 4.0.14

4.1.6

Fixed in WordPress 4.1.14

4.2.2

Fixed in WordPress 4.2.11

4.2.4

Fixed in WordPress 4.2.11

4.1.7

Fixed in WordPress 4.1.14

4.0.7

Fixed in WordPress 4.0.14

3.9.8

Fixed in WordPress 3.9.15

3.8.10

Fixed in WordPress 3.8.17

3.7.10

Fixed in WordPress 3.7.17

4.3

Fixed in WordPress 4.3.7

4.3.1

Fixed in WordPress 4.3.7

4.2.5

Fixed in WordPress 4.2.11

4.1.8

Fixed in WordPress 4.1.14

4.0.8

Fixed in WordPress 4.0.14

3.9.9

Fixed in WordPress 3.9.15

3.8.11

Fixed in WordPress 3.8.17

3.7.11

Fixed in WordPress 3.7.17

4.4

Fixed in WordPress 4.4.6

3.7.12

Fixed in WordPress 3.7.17

3.8.12

Fixed in WordPress 3.8.17

3.9.10

Fixed in WordPress 3.9.15

4.0.9

Fixed in WordPress 4.0.14

4.1.9

Fixed in WordPress 4.1.14

4.2.6

Fixed in WordPress 4.2.11

4.3.2

Fixed in WordPress 4.3.7

4.4.1

Fixed in WordPress 4.4.6

4.4.2

Fixed in WordPress 4.4.6

4.3.3

Fixed in WordPress 4.3.7

4.2.7

Fixed in WordPress 4.2.11

4.1.10

Fixed in WordPress 4.1.14

4.0.10

Fixed in WordPress 4.0.14

3.9.11

Fixed in WordPress 3.9.15

3.8.13

Fixed in WordPress 3.8.17

3.7.13

Fixed in WordPress 3.7.17

4.5

Fixed in WordPress 4.5.5

4.5.1

Fixed in WordPress 4.5.5

3.7.14

Fixed in WordPress 3.7.17

3.8.14

Fixed in WordPress 3.8.17

3.9.12

Fixed in WordPress 3.9.15

4.0.11

Fixed in WordPress 4.0.14

4.1.11

Fixed in WordPress 4.1.14

4.2.8

Fixed in WordPress 4.2.11

4.3.4

Fixed in WordPress 4.3.7

4.4.3

Fixed in WordPress 4.4.6

4.5.2

Fixed in WordPress 4.5.5

4.5.3

Fixed in WordPress 4.5.5

3.7.15

Fixed in WordPress 3.7.17

3.8.15

Fixed in WordPress 3.8.17

3.9.13

Fixed in WordPress 3.9.15

4.0.12

Fixed in WordPress 4.0.14

4.1.12

Fixed in WordPress 4.1.14

4.2.9

Fixed in WordPress 4.2.11

4.3.5

Fixed in WordPress 4.3.7

4.4.4

Fixed in WordPress 4.4.6

4.6

Fixed in WordPress 4.6.2

3.7.16

Fixed in WordPress 3.7.17

3.8.16

Fixed in WordPress 3.8.17

3.9.14

Fixed in WordPress 3.9.15

4.0.13

Fixed in WordPress 4.0.14

4.1.13

Fixed in WordPress 4.1.14

4.2.10

Fixed in WordPress 4.2.11

4.3.6

Fixed in WordPress 4.3.7

4.4.5

Fixed in WordPress 4.4.6

4.5.4

Fixed in WordPress 4.5.5

4.6.1

Fixed in WordPress 4.6.2

4.7

Fixed in WordPress 4.7.1

References

CVE

CVE-2017-5490

URL

https://www.mehmetince.net/low-severity-wordpress/

URL

https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/

URL

https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.1 (medium)

Miscellaneous

Submitter

Mehmet Ince

Submitter website

https://pentest.blog

Submitter twitter

mdisec

Verified

No

WPVDB ID

6737b4a2-080c-454a-a16e-7fc59824c659

Timeline

Publicly Published

2017-01-11 (about 7 years ago)

Added

2017-01-12 (about 7 years ago)

Last Updated

2020-09-22 (about 3 years ago)

Other

Published

Title

Published

2021-03-29

Title

Virtual Robots.txt < 1.10 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2024-05-08

Title

Playlist for Youtube <= 1.32 - Editor+ Stored XSS

Published

2015-01-14

Title

Simple Security <= 1.1.5 - 2 x Cross-Site Scripting (XSS)

Published

2024-04-08

Title

Forminator < 1.29.3 - Contributor+ Stored Cross-Site Scripting via forminator_form Shortcode

Published

2021-10-27

Title

Floating Social Media Icon <= 4.3.5 - Admin+ Stored Cross-Site Scripting