WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Vulnerabilities

WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass

Description

A JavaScript payload such as "javascript&colon;alert(1)" in a URL could cause a Cross-Site Scripting (XSS) vulnerability.

According to the commit message (see references):

"`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function."

Proof of Concept

javascript&colon;alert(1)

Affects WordPress

3.8.1
Fixed in version 3.8.32
3.8
Fixed in version 3.8.32
3.7.1
Fixed in version 3.7.32
3.9
Fixed in version 3.9.30
3.9.1
Fixed in version 3.9.30
3.7
Fixed in version 3.7.32
3.8.2
Fixed in version 3.8.32
3.8.3
Fixed in version 3.8.32
3.9.2
Fixed in version 3.9.30
4.0
Fixed in version 4.0.29

References

CVE
CVE-2019-20041
URL
https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
URL
https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

WordPress.org Security Team

Verified

No

WPVDB ID
8fac612b-95d2-477a-a7d6-e5ec0bb9ca52

Timeline

Publicly Published

2019-12-13 (about 3 years ago)

Added

2020-01-04 (about 3 years ago)

Last Updated

2020-09-22 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin