Description
Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used in WordPress before 3.0.4, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the & (ampersand) character, (2) the case of an attribute name, (3) a padded entity, and (4) an entity that is not in normalized form.
Remediation
References
Related Vulnerabilities
WordPress Plugin MailPoet Newsletters (Previous) SQL Injection (2.2)
WordPress Plugin User Submitted Posts Arbitrary File Upload (20190426)
WordPress Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-4340)
Liferay Portal Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2024-26273)