CVE-2017-14726
published 2017-09-23CVE-2017-14726: Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.
PriorityP275medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
2.66%
83.8th percentile
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | < wordpress 4.8.2+dfsg-1 (bookworm) | wordpress 4.8.2+dfsg-1 (bookworm) |
| wordpress | wordpress | <= 4.8.1 | — |
| wordpress | wordpress | >= 0 < 4.8.2+dfsg-1 | 4.8.2+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.8.2+dfsg-1 | 4.8.2+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.8.2+dfsg-1 | 4.8.2+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.8.2+dfsg-1 | 4.8.2+dfsg-1 |
Detection & IOCsextracted from sources · hover to see the quote
- ·Vulnerability is limited to WordPress versions prior to 4.8.2; the attack vector is XSS via shortcodes in the TinyMCE visual editor, meaning exploitation requires a user with editor-level access or ability to inject shortcodes. ↗
- ·Debian packages fixed in 4.8.2+dfsg-1 across all active Debian releases (bookworm, bullseye, forky, sid, trixie); scope is classified as local. ↗
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vulncheck6.1MEDIUM
vendor_debian6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wg62-5rv2-8hw3: Before version 4
ghsa_unreviewed·2022-05-17
CVE-2017-14726 [MEDIUM] CWE-79 GHSA-wg62-5rv2-8hw3: Before version 4
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.
OSV
CVE-2017-14726: Before version 4
osv·2017-09-23·CVSS 6.1
CVE-2017-14726 [MEDIUM] CVE-2017-14726: Before version 4
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.
VulnCheck
WordPress wordpress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2017·CVSS 6.1
CVE-2017-14726 [MEDIUM] WordPress wordpress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
WordPress wordpress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.
Affected: WordPress wordpress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.ic3.gov/Media/News/2022/220126.pdf
Debian
CVE-2017-14726: wordpress - Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack ...
vendor_debian·2017·CVSS 6.1
CVE-2017-14726 [MEDIUM] CVE-2017-14726: wordpress - Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack ...
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.
Scope: local
bookworm: resolved (fixed in 4.8.2+dfsg-1)
bullseye: resolved (fixed in 4.8.2+dfsg-1)
forky: resolved (fixed in 4.8.2+dfsg-1)
sid: resolved (fixed in 4.8.2+dfsg-1)
trixie: resolved (fixed in 4.8.2+dfsg-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/100912http://www.securitytracker.com/id/1039553https://core.trac.wordpress.org/changeset/41395https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/https://wpvulndb.com/vulnerabilities/8914https://www.debian.org/security/2017/dsa-3997http://www.securityfocus.com/bid/100912http://www.securitytracker.com/id/1039553https://core.trac.wordpress.org/changeset/41395https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/https://wpvulndb.com/vulnerabilities/8914https://www.debian.org/security/2017/dsa-3997
2017-09-23
Published
Exploited in the wild