Description
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.
Remediation
References
Related Vulnerabilities
WordPress Plugin Ajax Store Locator SQL Injection (1.2.0)
WordPress Plugin Plugmatter Pricing Table Cross-Site Scripting (1.0.32)
WordPress Plugin Zoho SalesIQ Multiple Vulnerabilities (1.0.8)
WordPress 4.8.x Multiple Vulnerabilities (4.8 - 4.8.14)
Nexus Repository Manager Incorrect Authorization Vulnerability (CVE-2018-16620)