CVE-2017-17093 — Cross-site Scripting in Wordpress

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

6.3%

top 9.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress Debian Linux

Timeline

PublishedDec 2

Latest updateMay 14

Description

wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 4.9.1+dfsg-1 (bookworm)

▶NVDwordpress/wordpress< 4.9.1

▶Debianwordpress/wordpress< 4.9.1+dfsg-1+3

Also affects: Debian Linux 7.0, 8.0, 9.0

Patches

Patch: codex.wordpress.org ↗Patch: github.com ↗Patch: codex.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-hgh7-wggh-fw3g: wp-includes/general-template↗2022-05-14

▶

OSV

CVE-2017-17093: wp-includes/general-template↗2017-12-02

▶

📋Vendor Advisories

Debian

CVE-2017-17093: wordpress - wp-includes/general-template.php in WordPress before 4.9.1 does not properly res...↗2017

▶