logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass

Description

A JavaScript payload such as "javascript&colon;alert(1)" in a URL could cause a Cross-Site Scripting (XSS) vulnerability.

According to the commit message (see references):

"`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function."

Proof of Concept

javascript&colon;alert(1)

Affects WordPresses

3.8.1

Fixed in version 3.8.32

3.8

Fixed in version 3.8.32

3.7.1

Fixed in version 3.7.32

3.9

Fixed in version 3.9.30

3.9.1

Fixed in version 3.9.30

3.7

Fixed in version 3.7.32

3.8.2

Fixed in version 3.8.32

3.8.3

Fixed in version 3.8.32

3.9.2

Fixed in version 3.9.30

4.0

Fixed in version 4.0.29

References

CVE

CVE-2019-20041

URL

https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

URL

https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

WordPress.org Security Team

Verified

No

WPVDB ID

8fac612b-95d2-477a-a7d6-e5ec0bb9ca52

Timeline

Publicly Published

2019-12-13 (about 1 years ago)

Added

2020-01-04 (about 1 years ago)

Last Updated

2020-09-22 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin