CVE-2017-17094 — Cross-site Scripting in Wordpress

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

6.6%

top 8.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress Debian Linux

Timeline

PublishedDec 2

Latest updateMay 14

Description

wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 4.9.1+dfsg-1 (bookworm)

▶NVDwordpress/wordpress< 4.9.1

▶Debianwordpress/wordpress< 4.9.1+dfsg-1+3

Also affects: Debian Linux 7.0, 8.0, 9.0

Patches

Patch: codex.wordpress.org ↗Patch: github.com ↗Patch: wpvulndb.com ↗

🔴Vulnerability Details

GHSA

GHSA-2h28-99xh-9cvg: wp-includes/feed↗2022-05-14

▶

OSV

CVE-2017-17094: wp-includes/feed↗2017-12-02

▶

📋Vendor Advisories

Debian

CVE-2017-17094: wordpress - wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclos...↗2017

▶