WordPress Vulnerabilities

WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor

Description

A cross-site scripting (XSS) vulnerability was discovered in the visual editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.

Affects WordPress

4.2.3
Fixed in WordPress 4.2.16
4.2.4
Fixed in WordPress 4.2.16
4.3
Fixed in WordPress 4.3.12
4.3.1
Fixed in WordPress 4.3.12
4.2.5
Fixed in WordPress 4.2.16
4.4
Fixed in WordPress 4.4.11
4.2.6
Fixed in WordPress 4.2.16
4.3.2
Fixed in WordPress 4.3.12
4.4.1
Fixed in WordPress 4.4.11
4.4.2
Fixed in WordPress 4.4.11
4.3.3
Fixed in WordPress 4.3.12
4.2.7
Fixed in WordPress 4.2.16
4.5
Fixed in WordPress 4.5.10
4.5.1
Fixed in WordPress 4.5.10
4.2.8
Fixed in WordPress 4.2.16
4.3.4
Fixed in WordPress 4.3.12
4.4.3
Fixed in WordPress 4.4.11
4.5.2
Fixed in WordPress 4.5.10
4.5.3
Fixed in WordPress 4.5.10
4.2.9
Fixed in WordPress 4.2.16
4.3.5
Fixed in WordPress 4.3.12
4.4.4
Fixed in WordPress 4.4.11
4.6
Fixed in WordPress 4.6.7
4.2.10
Fixed in WordPress 4.2.16
4.3.6
Fixed in WordPress 4.3.12
4.4.5
Fixed in WordPress 4.4.11
4.5.4
Fixed in WordPress 4.5.10
4.6.1
Fixed in WordPress 4.6.7
4.7
Fixed in WordPress 4.7.6
4.2.11
Fixed in WordPress 4.2.16
4.3.7
Fixed in WordPress 4.3.12
4.4.6
Fixed in WordPress 4.4.11
4.5.5
Fixed in WordPress 4.5.10
4.7.1
Fixed in WordPress 4.7.6
4.6.2
Fixed in WordPress 4.6.7
4.2.12
Fixed in WordPress 4.2.16
4.3.8
Fixed in WordPress 4.3.12
4.4.7
Fixed in WordPress 4.4.11
4.5.6
Fixed in WordPress 4.5.10
4.6.3
Fixed in WordPress 4.6.7
4.7.2
Fixed in WordPress 4.7.6
4.2.13
Fixed in WordPress 4.2.16
4.3.9
Fixed in WordPress 4.3.12
4.4.8
Fixed in WordPress 4.4.11
4.5.7
Fixed in WordPress 4.5.10
4.6.4
Fixed in WordPress 4.6.7
4.7.3
Fixed in WordPress 4.7.6
4.2.14
Fixed in WordPress 4.2.16
4.3.10
Fixed in WordPress 4.3.12
4.4.9
Fixed in WordPress 4.4.11
4.5.8
Fixed in WordPress 4.5.10
4.6.5
Fixed in WordPress 4.6.7
4.7.4
Fixed in WordPress 4.7.6
4.7.5
Fixed in WordPress 4.7.6
4.2.15
Fixed in WordPress 4.2.16
4.3.11
Fixed in WordPress 4.3.12
4.4.10
Fixed in WordPress 4.4.11
4.5.9
Fixed in WordPress 4.5.10
4.6.6
Fixed in WordPress 4.6.7
4.8
Fixed in WordPress 4.8.2
4.8.1
Fixed in WordPress 4.8.2

References

CVE
CVE-2017-14726
URL
https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
URL
https://core.trac.wordpress.org/changeset/41395
URL
https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Submitter
Rodolfo Assis
Submitter twitter
brutelogic
Verified
No
WPVDB ID
e525b3ed-866e-4c48-8715-19fc8be14939

Timeline

Publicly Published
2017-09-19 (about 6 years ago)
Added
2017-09-27 (about 6 years ago)
Last Updated
2020-09-22 (about 3 years ago)

Other

Published
Title
Published
2023-04-05
Title
Weaver Xtreme Theme < 6.2 - Contributor+ Stored Cross-Site Scripting
Published
2023-11-28
Title
File Gallery <= 1.8.5.4 - Reflected Cross-Site Scripting via post_id
Published
2023-12-19
Title
Multi Step Form < 1.7.17 - Admin+ Stored XSS
Published
2014-08-01
Title
Securimage-WP 3.2.4 - siwp_test.php URI XSS
Published
2018-04-06
Title
WordPress File Upload <= 4.3.3 - Cross-Site Scripting (XSS)