cbcvebase.
CVE-2017-14726
published 2017-09-23

CVE-2017-14726: Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.

PriorityP275medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
2.66%
83.8th percentile
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianwordpress< wordpress 4.8.2+dfsg-1 (bookworm)wordpress 4.8.2+dfsg-1 (bookworm)
wordpresswordpress<= 4.8.1
wordpresswordpress>= 0 < 4.8.2+dfsg-14.8.2+dfsg-1
wordpresswordpress>= 0 < 4.8.2+dfsg-14.8.2+dfsg-1
wordpresswordpress>= 0 < 4.8.2+dfsg-14.8.2+dfsg-1
wordpresswordpress>= 0 < 4.8.2+dfsg-14.8.2+dfsg-1

Detection & IOCsextracted from sources · hover to see the quote

  • ·Vulnerability is limited to WordPress versions prior to 4.8.2; the attack vector is XSS via shortcodes in the TinyMCE visual editor, meaning exploitation requires a user with editor-level access or ability to inject shortcodes.
  • ·Debian packages fixed in 4.8.2+dfsg-1 across all active Debian releases (bookworm, bullseye, forky, sid, trixie); scope is classified as local.

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vulncheck6.1MEDIUM
vendor_debian6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.