Description
wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.
Remediation
References
Related Vulnerabilities
WordPress Plugin GS Portfolio for Envato Cross-Site Scripting (1.3.8)
WordPress Plugin iThemes Security (formerly Better WP Security) Cross-Site Scripting (3.5.3)
Apache HTTP Server CVE-2014-0098 Vulnerability (CVE-2014-0098)
WordPress Plugin JW Player for Flash & HTML5 Video Cross-Site Request Forgery (2.1.11)