Description

wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.

Remediation

References

CVE-2017-17094

Related Vulnerabilities

Microsoft SQL Server Remote Code Execution Vulnerability (CVE-2020-0618)

WordPress Authentication Bypass Using an Alternate Path or Channel Vulnerability (CVE-2020-4050)

Mailman Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-5950)

WordPress Plugin WP REST API (WP API) Cross-Site Scripting (1.2.2)

WordPress Plugin Falang multilanguage for WordPress Cross-Site Scripting (1.3.17)

Severity

Medium

Classification

CVE-2017-17094 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities