Description WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. Remediation References CVE-2019-16217 Related Vulnerabilities Drupal Core 5.x SQL Injection (5.0 - 5.3) PHP Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2013-6501) WordPress 5.8.x Directory Traversal (5.8 - 5.8.9) Ruby on Rails Improper Authentication Vulnerability (CVE-2012-3424) WordPress Plugin Search Types Custom Fields Widget Unspecified Vulnerability (1.3) Severity Medium Classification CVE-2019-16217 CWE-707 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Tags Missing Update Known Vulnerabilities