WordPress <= 5.3 – wp_kses_bad_protocol() Colon Bypass | CVE 2019-20041

Description

A JavaScript payload such as "javascript&colon;alert(1)" in a URL could cause a Cross-Site Scripting (XSS) vulnerability.

According to the commit message (see references):

"`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function."

Proof of Concept

javascript&colon;alert(1)

Affects WordPress

3.8.1

Fixed in WordPress 3.8.32

3.8

Fixed in WordPress 3.8.32

3.7.1

Fixed in WordPress 3.7.32

3.9

Fixed in WordPress 3.9.30

3.9.1

Fixed in WordPress 3.9.30

3.7

Fixed in WordPress 3.7.32

3.8.2

Fixed in WordPress 3.8.32

3.8.3

Fixed in WordPress 3.8.32

3.9.2

Fixed in WordPress 3.9.30

4.0

Fixed in WordPress 4.0.29

4.1

Fixed in WordPress 4.1.29

4.1.1

Fixed in WordPress 4.1.29

4.2

Fixed in WordPress 4.2.26

3.9.3

Fixed in WordPress 3.9.30

4.1.2

Fixed in WordPress 4.1.29

4.2.1

Fixed in WordPress 4.2.26

4.0.1

Fixed in WordPress 4.0.29

4.1.5

Fixed in WordPress 4.1.29

4.1.4

Fixed in WordPress 4.1.29

4.1.3

Fixed in WordPress 4.1.29

3.8.4

Fixed in WordPress 3.8.32

3.7.4

Fixed in WordPress 3.7.32

4.2.3

Fixed in WordPress 4.2.26

3.8.8

Fixed in WordPress 3.8.32

3.8.5

Fixed in WordPress 3.8.32

3.8.6

Fixed in WordPress 3.8.32

3.8.7

Fixed in WordPress 3.8.32

3.7.2

Fixed in WordPress 3.7.32

3.7.3

Fixed in WordPress 3.7.32

3.7.5

Fixed in WordPress 3.7.32

3.7.6

Fixed in WordPress 3.7.32

3.7.7

Fixed in WordPress 3.7.32

3.7.8

Fixed in WordPress 3.7.32

3.7.9

Fixed in WordPress 3.7.32

3.8.9

Fixed in WordPress 3.8.32

3.9.4

Fixed in WordPress 3.9.30

3.9.5

Fixed in WordPress 3.9.30

3.9.6

Fixed in WordPress 3.9.30

3.9.7

Fixed in WordPress 3.9.30

4.0.2

Fixed in WordPress 4.0.29

4.0.3

Fixed in WordPress 4.0.29

4.0.4

Fixed in WordPress 4.0.29

4.0.5

Fixed in WordPress 4.0.29

4.0.6

Fixed in WordPress 4.0.29

4.1.6

Fixed in WordPress 4.1.29

4.2.2

Fixed in WordPress 4.2.26

4.2.4

Fixed in WordPress 4.2.26

4.1.7

Fixed in WordPress 4.1.29

4.0.7

Fixed in WordPress 4.0.29

3.9.8

Fixed in WordPress 3.9.30

3.8.10

Fixed in WordPress 3.8.32

3.7.10

Fixed in WordPress 3.7.32

4.3

Fixed in WordPress 4.3.22

4.3.1

Fixed in WordPress 4.3.22

4.2.5

Fixed in WordPress 4.2.26

4.1.8

Fixed in WordPress 4.1.29

4.0.8

Fixed in WordPress 4.0.29

3.9.9

Fixed in WordPress 3.9.30

3.8.11

Fixed in WordPress 3.8.32

3.7.11

Fixed in WordPress 3.7.32

4.4

Fixed in WordPress 4.4.21

3.7.12

Fixed in WordPress 3.7.32

3.8.12

Fixed in WordPress 3.8.32

3.9.10

Fixed in WordPress 3.9.30

4.0.9

Fixed in WordPress 4.0.29

4.1.9

Fixed in WordPress 4.1.29

4.2.6

Fixed in WordPress 4.2.26

4.3.2

Fixed in WordPress 4.3.22

4.4.1

Fixed in WordPress 4.4.21

4.4.2

Fixed in WordPress 4.4.21

4.3.3

Fixed in WordPress 4.3.22

4.2.7

Fixed in WordPress 4.2.26

4.1.10

Fixed in WordPress 4.1.29

4.0.10

Fixed in WordPress 4.0.29

3.9.11

Fixed in WordPress 3.9.30

3.8.13

Fixed in WordPress 3.8.32

3.7.13

Fixed in WordPress 3.7.32

4.5

Fixed in WordPress 4.5.20

4.5.1

Fixed in WordPress 4.5.20

3.7.14

Fixed in WordPress 3.7.32

3.8.14

Fixed in WordPress 3.8.32

3.9.12

Fixed in WordPress 3.9.30

4.0.11

Fixed in WordPress 4.0.29

4.1.11

Fixed in WordPress 4.1.29

4.2.8

Fixed in WordPress 4.2.26

4.3.4

Fixed in WordPress 4.3.22

4.4.3

Fixed in WordPress 4.4.21

4.5.2

Fixed in WordPress 4.5.20

4.5.3

Fixed in WordPress 4.5.20

3.7.15

Fixed in WordPress 3.7.32

3.8.15

Fixed in WordPress 3.8.32

3.9.13

Fixed in WordPress 3.9.30

4.0.12

Fixed in WordPress 4.0.29

4.1.12

Fixed in WordPress 4.1.29

4.2.9

Fixed in WordPress 4.2.26

4.3.5

Fixed in WordPress 4.3.22

4.4.4

Fixed in WordPress 4.4.21

4.6

Fixed in WordPress 4.6.17

3.7.16

Fixed in WordPress 3.7.32

3.8.16

Fixed in WordPress 3.8.32

3.9.14

Fixed in WordPress 3.9.30

4.0.13

Fixed in WordPress 4.0.29

4.1.13

Fixed in WordPress 4.1.29

4.2.10

Fixed in WordPress 4.2.26

4.3.6

Fixed in WordPress 4.3.22

4.4.5

Fixed in WordPress 4.4.21

4.5.4

Fixed in WordPress 4.5.20

4.6.1

Fixed in WordPress 4.6.17

4.7

Fixed in WordPress 4.7.16

3.7.17

Fixed in WordPress 3.7.32

3.8.17

Fixed in WordPress 3.8.32

3.9.15

Fixed in WordPress 3.9.30

4.0.14

Fixed in WordPress 4.0.29

4.1.14

Fixed in WordPress 4.1.29

4.2.11

Fixed in WordPress 4.2.26

4.3.7

Fixed in WordPress 4.3.22

4.4.6

Fixed in WordPress 4.4.21

4.5.5

Fixed in WordPress 4.5.20

4.7.1

Fixed in WordPress 4.7.16

4.6.2

Fixed in WordPress 4.6.17

3.7.18

Fixed in WordPress 3.7.32

3.8.18

Fixed in WordPress 3.8.32

3.9.16

Fixed in WordPress 3.9.30

4.0.15

Fixed in WordPress 4.0.29

4.1.15

Fixed in WordPress 4.1.29

4.2.12

Fixed in WordPress 4.2.26

4.3.8

Fixed in WordPress 4.3.22

4.4.7

Fixed in WordPress 4.4.21

4.5.6

Fixed in WordPress 4.5.20

4.6.3

Fixed in WordPress 4.6.17

4.7.2

Fixed in WordPress 4.7.16

3.7.19

Fixed in WordPress 3.7.32

3.8.19

Fixed in WordPress 3.8.32

3.9.17

Fixed in WordPress 3.9.30

4.0.16

Fixed in WordPress 4.0.29

4.1.16

Fixed in WordPress 4.1.29

4.2.13

Fixed in WordPress 4.2.26

4.3.9

Fixed in WordPress 4.3.22

4.4.8

Fixed in WordPress 4.4.21

4.5.7

Fixed in WordPress 4.5.20

4.6.4

Fixed in WordPress 4.6.17

4.7.3

Fixed in WordPress 4.7.16

3.7.20

Fixed in WordPress 3.7.32

3.8.20

Fixed in WordPress 3.8.32

3.9.18

Fixed in WordPress 3.9.30

4.0.17

Fixed in WordPress 4.0.29

4.1.17

Fixed in WordPress 4.1.29

4.2.14

Fixed in WordPress 4.2.26

4.3.10

Fixed in WordPress 4.3.22

4.4.9

Fixed in WordPress 4.4.21

4.5.8

Fixed in WordPress 4.5.20

4.6.5

Fixed in WordPress 4.6.17

4.7.4

Fixed in WordPress 4.7.16

4.7.5

Fixed in WordPress 4.7.16

3.7.21

Fixed in WordPress 3.7.32

3.8.21

Fixed in WordPress 3.8.32

3.9.19

Fixed in WordPress 3.9.30

4.0.18

Fixed in WordPress 4.0.29

4.1.18

Fixed in WordPress 4.1.29

4.2.15

Fixed in WordPress 4.2.26

4.3.11

Fixed in WordPress 4.3.22

4.4.10

Fixed in WordPress 4.4.21

4.5.9

Fixed in WordPress 4.5.20

4.6.6

Fixed in WordPress 4.6.17

4.8

Fixed in WordPress 4.8.12

4.8.1

Fixed in WordPress 4.8.12

3.7.22

Fixed in WordPress 3.7.32

3.8.22

Fixed in WordPress 3.8.32

3.9.20

Fixed in WordPress 3.9.30

4.0.19

Fixed in WordPress 4.0.29

4.1.19

Fixed in WordPress 4.1.29

4.2.16

Fixed in WordPress 4.2.26

4.3.12

Fixed in WordPress 4.3.22

4.4.11

Fixed in WordPress 4.4.21

4.5.10

Fixed in WordPress 4.5.20

4.6.7

Fixed in WordPress 4.6.17

4.7.6

Fixed in WordPress 4.7.16

4.8.2

Fixed in WordPress 4.8.12

4.8.3

Fixed in WordPress 4.8.12

3.7.23

Fixed in WordPress 3.7.32

3.8.23

Fixed in WordPress 3.8.32

3.9.21

Fixed in WordPress 3.9.30

4.0.20

Fixed in WordPress 4.0.29

4.1.20

Fixed in WordPress 4.1.29

4.2.17

Fixed in WordPress 4.2.26

4.3.13

Fixed in WordPress 4.3.22

4.4.12

Fixed in WordPress 4.4.21

4.5.11

Fixed in WordPress 4.5.20

4.6.8

Fixed in WordPress 4.6.17

4.7.7

Fixed in WordPress 4.7.16

4.9

Fixed in WordPress 4.9.13

4.9.1

Fixed in WordPress 4.9.13

4.8.4

Fixed in WordPress 4.8.12

4.7.8

Fixed in WordPress 4.7.16

4.6.9

Fixed in WordPress 4.6.17

4.5.12

Fixed in WordPress 4.5.20

4.4.13

Fixed in WordPress 4.4.21

4.3.14

Fixed in WordPress 4.3.22

4.2.18

Fixed in WordPress 4.2.26

4.1.21

Fixed in WordPress 4.1.29

4.0.21

Fixed in WordPress 4.0.29

3.9.22

Fixed in WordPress 3.9.30

3.8.24

Fixed in WordPress 3.8.32

3.7.24

Fixed in WordPress 3.7.32

4.9.2

Fixed in WordPress 4.9.13

4.8.5

Fixed in WordPress 4.8.12

4.7.9

Fixed in WordPress 4.7.16

4.6.10

Fixed in WordPress 4.6.17

4.5.13

Fixed in WordPress 4.5.20

4.4.14

Fixed in WordPress 4.4.21

4.3.15

Fixed in WordPress 4.3.22

4.2.19

Fixed in WordPress 4.2.26

4.1.22

Fixed in WordPress 4.1.29

4.0.22

Fixed in WordPress 4.0.29

3.9.23

Fixed in WordPress 3.9.30

3.8.25

Fixed in WordPress 3.8.32

3.7.25

Fixed in WordPress 3.7.32

4.9.3

Fixed in WordPress 4.9.13

4.9.4

Fixed in WordPress 4.9.13

3.7.26

Fixed in WordPress 3.7.32

3.8.26

Fixed in WordPress 3.8.32

3.9.24

Fixed in WordPress 3.9.30

4.0.23

Fixed in WordPress 4.0.29

4.1.23

Fixed in WordPress 4.1.29

4.2.20

Fixed in WordPress 4.2.26

4.3.16

Fixed in WordPress 4.3.22

4.4.15

Fixed in WordPress 4.4.21

4.5.14

Fixed in WordPress 4.5.20

4.6.11

Fixed in WordPress 4.6.17

4.7.10

Fixed in WordPress 4.7.16

4.8.6

Fixed in WordPress 4.8.12

4.9.5

Fixed in WordPress 4.9.13

4.9.6

Fixed in WordPress 4.9.13

3.7.27

Fixed in WordPress 3.7.32

3.8.27

Fixed in WordPress 3.8.32

3.9.25

Fixed in WordPress 3.9.30

4.0.24

Fixed in WordPress 4.0.29

4.1.24

Fixed in WordPress 4.1.29

4.2.21

Fixed in WordPress 4.2.26

4.3.17

Fixed in WordPress 4.3.22

4.4.16

Fixed in WordPress 4.4.21

4.5.15

Fixed in WordPress 4.5.20

4.6.12

Fixed in WordPress 4.6.17

4.7.11

Fixed in WordPress 4.7.16

4.8.7

Fixed in WordPress 4.8.12

4.9.7

Fixed in WordPress 4.9.13

4.9.8

Fixed in WordPress 4.9.13

5.0

Fixed in WordPress 5.0.8

5.0.1

Fixed in WordPress 5.0.8

4.9.9

Fixed in WordPress 4.9.13

4.8.8

Fixed in WordPress 4.8.12

4.7.12

Fixed in WordPress 4.7.16

4.6.13

Fixed in WordPress 4.6.17

4.5.16

Fixed in WordPress 4.5.20

4.4.17

Fixed in WordPress 4.4.21

4.3.18

Fixed in WordPress 4.3.22

4.2.22

Fixed in WordPress 4.2.26

4.1.25

Fixed in WordPress 4.1.29

4.0.25

Fixed in WordPress 4.0.29

3.9.26

Fixed in WordPress 3.9.30

3.8.28

Fixed in WordPress 3.8.32

3.7.28

Fixed in WordPress 3.7.32

5.0.2

Fixed in WordPress 5.0.8

5.0.3

Fixed in WordPress 5.0.8

5.1

Fixed in WordPress 5.1.4

5.1.1

Fixed in WordPress 5.1.4

5.0.4

Fixed in WordPress 5.0.8

4.9.10

Fixed in WordPress 4.9.13

4.8.9

Fixed in WordPress 4.8.12

4.7.13

Fixed in WordPress 4.7.16

4.6.14

Fixed in WordPress 4.6.17

4.5.17

Fixed in WordPress 4.5.20

4.4.18

Fixed in WordPress 4.4.21

4.3.19

Fixed in WordPress 4.3.22

4.2.23

Fixed in WordPress 4.2.26

4.1.26

Fixed in WordPress 4.1.29

4.0.26

Fixed in WordPress 4.0.29

3.9.27

Fixed in WordPress 3.9.30

3.8.29

Fixed in WordPress 3.8.32

3.7.29

Fixed in WordPress 3.7.32

5.2

Fixed in WordPress 5.2.5

5.2.1

Fixed in WordPress 5.2.5

5.2.2

Fixed in WordPress 5.2.5

5.2.3

Fixed in WordPress 5.2.5

5.1.2

Fixed in WordPress 5.1.4

5.0.6

Fixed in WordPress 5.0.8

4.9.11

Fixed in WordPress 4.9.13

4.8.10

Fixed in WordPress 4.8.12

4.7.14

Fixed in WordPress 4.7.16

4.6.15

Fixed in WordPress 4.6.17

4.5.18

Fixed in WordPress 4.5.20

4.4.19

Fixed in WordPress 4.4.21

4.3.20

Fixed in WordPress 4.3.22

4.2.24

Fixed in WordPress 4.2.26

4.1.27

Fixed in WordPress 4.1.29

4.0.27

Fixed in WordPress 4.0.29

3.9.28

Fixed in WordPress 3.9.30

3.8.30

Fixed in WordPress 3.8.32

3.7.30

Fixed in WordPress 3.7.32

5.2.4

Fixed in WordPress 5.2.5

5.1.3

Fixed in WordPress 5.1.4

5.0.7

Fixed in WordPress 5.0.8

4.9.12

Fixed in WordPress 4.9.13

4.8.11

Fixed in WordPress 4.8.12

4.7.15

Fixed in WordPress 4.7.16

4.6.16

Fixed in WordPress 4.6.17

4.5.19

Fixed in WordPress 4.5.20

4.4.20

Fixed in WordPress 4.4.21

4.3.21

Fixed in WordPress 4.3.22

4.2.25

Fixed in WordPress 4.2.26

4.1.28

Fixed in WordPress 4.1.29

4.0.28

Fixed in WordPress 4.0.29

3.9.29

Fixed in WordPress 3.9.30

3.8.31

Fixed in WordPress 3.8.32

3.7.31

Fixed in WordPress 3.7.32

5.3

Fixed in WordPress 5.3.1

References

CVE

CVE-2019-20041

URL

https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

URL

https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

9.8 (critical)

Miscellaneous

Original Researcher

WordPress.org Security Team

Verified

WPVDB ID

8fac612b-95d2-477a-a7d6-e5ec0bb9ca52

Timeline

Publicly Published

2019-12-13 (about 6 years ago)

Added

2020-01-04 (about 6 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2024-09-25

Title

Common Tools for Site <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Published

2023-10-13

Title

Ultimate Taxonomy Manager <= 2.0 - Reflected XSS

Published

2024-08-08

Title

Gutentor < 3.3.6 - Contributor+ Stored XSS

Published

2014-08-01

Title

Count per Day 3.2.5 - counter.php HTTP Referer Header XSS

Published

2023-02-02

Title

Show-Hide / Collapse-Expand < 1.3.0 - Contributor+ Stored XSS via Shortcode