CVE-2018-10102Cross-site Scripting in Wordpress

CWE-79Cross-site Scripting5 documents5 sources
Severity
6.1MEDIUMNVD
EPSS
5.2%
top 10.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
WordpressDebian WordpressDebian Linux
Timeline
PublishedApr 16
Latest updateMay 14

Description

Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

debiandebian/wordpress< wordpress 4.9.5+dfsg1-1 (bookworm)
NVDwordpress/wordpress< 4.9.5
Debianwordpress/wordpress< 4.9.5+dfsg1-1+3

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: core.trac.wordpress.orgPatch: github.comPatch: core.trac.wordpress.org

🔴Vulnerability Details

3
GHSA
GHSA-pv54-xqw9-86jh: Before WordPress 42022-05-14
OSV
CVE-2018-10102: Before WordPress 42018-04-16
CVEList
CVE-2018-10102: Before WordPress 42018-04-14

📋Vendor Advisories

1
Debian
CVE-2018-10102: wordpress - Before WordPress 4.9.5, the version string was not escaped in the get_the_genera...2018