wp_kses_bad_protocol in wp-includes/kses.php in WordPress prior to 5.3.1 mishandles the HTML5 colon named entity, allowing malicious users to bypass input sanitization, as demonstrated by the javascript: substring.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
wordpress wordpress |
||
debian debian linux 8.0 |
||
debian debian linux 9.0 |
||
debian debian linux 10.0 |