CVE-2019-20041
moderate-risk
Published 2019-12-27
wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.
Do I need to act?
~
1.4% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 378daf04727d8124c3a98e2f801632e068c04964, b1975463dd995da19bb40d3fa0786498717e3c53
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (4)
References (12)
Mailing List
https://seclists.org/bugtraq/2020/Jan/8
Third Party Advisory
https://www.debian.org/security/2020/dsa-4599
Third Party Advisory
https://www.debian.org/security/2020/dsa-4677
Mailing List
https://seclists.org/bugtraq/2020/Jan/8
Third Party Advisory
https://www.debian.org/security/2020/dsa-4599
Third Party Advisory
https://www.debian.org/security/2020/dsa-4677
46
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
4/34 · Minimal
Exposure
10/34 · Low