#VU9455 Cross-site scripting in WordPress - CVE-2017-17094
Published: November 29, 2017 / Updated: December 2, 2017
Vulnerability identifier: #VU9455
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-17094
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
WordPress
WordPress
Software vendor:
WordPress.ORG
WordPress.ORG
Description
The vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability exists due to insufficient sanitization of the attributes of enclosures in RSS and Atom feeds within wp-includes/feed.php script. A remote attacker can bypass implemented filters and execute arbitrary HTML and script code in victims browser in context of the vulnerable website.
The vulnerability exists due to insufficient sanitization of the attributes of enclosures in RSS and Atom feeds within wp-includes/feed.php script. A remote attacker can bypass implemented filters and execute arbitrary HTML and script code in victims browser in context of the vulnerable website.
Remediation
Update to version 4.9.1.