WordPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-17094)

Description

wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.

Remediation

References

CVE-2017-17094

Related Vulnerabilities

Joomla! Core 1.0.x Multiple Unspecified Vulnerabilities (1.0.0 - 1.0.9)

Internet Information Services Other Vulnerability (CVE-2000-1090)

Microsoft SQL Server Other Vulnerability (CVE-2000-1088)

PHP Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2016-3142)

Oracle HTTP Server CVE-2013-1862 Vulnerability (CVE-2013-1862)

Severity

Medium

Classification

CVE-2017-17094 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N