WordPress 3.4.0-4.7.4 – Customizer XSS & CSRF

Affects WordPress

3.8.1

Fixed in WordPress 3.8.21

3.8

Fixed in WordPress 3.8.21

3.7.1

Fixed in WordPress 3.7.21

3.6

Fixed in WordPress 4.7.5

3.5.2

Fixed in WordPress 4.7.5

3.5.1

Fixed in WordPress 4.7.5

3.5

Fixed in WordPress 4.7.5

3.4.2

Fixed in WordPress 4.7.5

3.4.1

Fixed in WordPress 4.7.5

3.4

Fixed in WordPress 4.7.5

3.6.1

Fixed in WordPress 4.7.5

3.9

Fixed in WordPress 3.9.19

3.9.1

Fixed in WordPress 3.9.19

3.7

Fixed in WordPress 3.7.21

3.8.2

Fixed in WordPress 3.8.21

3.8.3

Fixed in WordPress 3.8.21

3.9.2

Fixed in WordPress 3.9.19

4.0

Fixed in WordPress 4.0.18

4.1

Fixed in WordPress 4.1.18

4.1.1

Fixed in WordPress 4.1.18

4.2

Fixed in WordPress 4.2.15

3.9.3

Fixed in WordPress 3.9.19

4.1.2

Fixed in WordPress 4.1.18

4.2.1

Fixed in WordPress 4.2.15

4.0.1

Fixed in WordPress 4.0.18

4.1.5

Fixed in WordPress 4.1.18

4.1.4

Fixed in WordPress 4.1.18

4.1.3

Fixed in WordPress 4.1.18

3.8.4

Fixed in WordPress 3.8.21

3.7.4

Fixed in WordPress 3.7.21

4.2.3

Fixed in WordPress 4.2.15

3.8.8

Fixed in WordPress 3.8.21

3.8.5

Fixed in WordPress 3.8.21

3.8.6

Fixed in WordPress 3.8.21

3.8.7

Fixed in WordPress 3.8.21

3.7.2

Fixed in WordPress 3.7.21

3.7.3

Fixed in WordPress 3.7.21

3.7.5

Fixed in WordPress 3.7.21

3.7.6

Fixed in WordPress 3.7.21

3.7.7

Fixed in WordPress 3.7.21

3.7.8

Fixed in WordPress 3.7.21

3.7.9

Fixed in WordPress 3.7.21

3.8.9

Fixed in WordPress 3.8.21

3.9.4

Fixed in WordPress 3.9.19

3.9.5

Fixed in WordPress 3.9.19

3.9.6

Fixed in WordPress 3.9.19

3.9.7

Fixed in WordPress 3.9.19

4.0.2

Fixed in WordPress 4.0.18

4.0.3

Fixed in WordPress 4.0.18

4.0.4

Fixed in WordPress 4.0.18

4.0.5

Fixed in WordPress 4.0.18

4.0.6

Fixed in WordPress 4.0.18

4.1.6

Fixed in WordPress 4.1.18

4.2.2

Fixed in WordPress 4.2.15

4.2.4

Fixed in WordPress 4.2.15

4.1.7

Fixed in WordPress 4.1.18

4.0.7

Fixed in WordPress 4.0.18

3.9.8

Fixed in WordPress 3.9.19

3.8.10

Fixed in WordPress 3.8.21

3.7.10

Fixed in WordPress 3.7.21

4.3

Fixed in WordPress 4.3.11

4.3.1

Fixed in WordPress 4.3.11

4.2.5

Fixed in WordPress 4.2.15

4.1.8

Fixed in WordPress 4.1.18

4.0.8

Fixed in WordPress 4.0.18

3.9.9

Fixed in WordPress 3.9.19

3.8.11

Fixed in WordPress 3.8.21

3.7.11

Fixed in WordPress 3.7.21

4.4

Fixed in WordPress 4.4.10

3.7.12

Fixed in WordPress 3.7.21

3.8.12

Fixed in WordPress 3.8.21

3.9.10

Fixed in WordPress 3.9.19

4.0.9

Fixed in WordPress 4.0.18

4.1.9

Fixed in WordPress 4.1.18

4.2.6

Fixed in WordPress 4.2.15

4.3.2

Fixed in WordPress 4.3.11

4.4.1

Fixed in WordPress 4.4.10

4.4.2

Fixed in WordPress 4.4.10

4.3.3

Fixed in WordPress 4.3.11

4.2.7

Fixed in WordPress 4.2.15

4.1.10

Fixed in WordPress 4.1.18

4.0.10

Fixed in WordPress 4.0.18

3.9.11

Fixed in WordPress 3.9.19

3.8.13

Fixed in WordPress 3.8.21

3.7.13

Fixed in WordPress 3.7.21

4.5

Fixed in WordPress 4.5.9

4.5.1

Fixed in WordPress 4.5.9

3.7.14

Fixed in WordPress 3.7.21

3.8.14

Fixed in WordPress 3.8.21

3.9.12

Fixed in WordPress 3.9.19

4.0.11

Fixed in WordPress 4.0.18

4.1.11

Fixed in WordPress 4.1.18

4.2.8

Fixed in WordPress 4.2.15

4.3.4

Fixed in WordPress 4.3.11

4.4.3

Fixed in WordPress 4.4.10

4.5.2

Fixed in WordPress 4.5.9

4.5.3

Fixed in WordPress 4.5.9

3.7.15

Fixed in WordPress 3.7.21

3.8.15

Fixed in WordPress 3.8.21

3.9.13

Fixed in WordPress 3.9.19

4.0.12

Fixed in WordPress 4.0.18

4.1.12

Fixed in WordPress 4.1.18

4.2.9

Fixed in WordPress 4.2.15

4.3.5

Fixed in WordPress 4.3.11

4.4.4

Fixed in WordPress 4.4.10

4.6

Fixed in WordPress 4.6.6

3.7.16

Fixed in WordPress 3.7.21

3.8.16

Fixed in WordPress 3.8.21

3.9.14

Fixed in WordPress 3.9.19

4.0.13

Fixed in WordPress 4.0.18

4.1.13

Fixed in WordPress 4.1.18

4.2.10

Fixed in WordPress 4.2.15

4.3.6

Fixed in WordPress 4.3.11

4.4.5

Fixed in WordPress 4.4.10

4.5.4

Fixed in WordPress 4.5.9

4.6.1

Fixed in WordPress 4.6.6

4.7

Fixed in WordPress 4.7.5

3.7.17

Fixed in WordPress 3.7.21

3.8.17

Fixed in WordPress 3.8.21

3.9.15

Fixed in WordPress 3.9.19

4.0.14

Fixed in WordPress 4.0.18

4.1.14

Fixed in WordPress 4.1.18

4.2.11

Fixed in WordPress 4.2.15

4.3.7

Fixed in WordPress 4.3.11

4.4.6

Fixed in WordPress 4.4.10

4.5.5

Fixed in WordPress 4.5.9

4.7.1

Fixed in WordPress 4.7.5

4.6.2

Fixed in WordPress 4.6.6

3.7.18

Fixed in WordPress 3.7.21

3.8.18

Fixed in WordPress 3.8.21

3.9.16

Fixed in WordPress 3.9.19

4.0.15

Fixed in WordPress 4.0.18

4.1.15

Fixed in WordPress 4.1.18

4.2.12

Fixed in WordPress 4.2.15

4.3.8

Fixed in WordPress 4.3.11

4.4.7

Fixed in WordPress 4.4.10

4.5.6

Fixed in WordPress 4.5.9

4.6.3

Fixed in WordPress 4.6.6

4.7.2

Fixed in WordPress 4.7.5

3.7.19

Fixed in WordPress 3.7.21

3.8.19

Fixed in WordPress 3.8.21

3.9.17

Fixed in WordPress 3.9.19

4.0.16

Fixed in WordPress 4.0.18

4.1.16

Fixed in WordPress 4.1.18

4.2.13

Fixed in WordPress 4.2.15

4.3.9

Fixed in WordPress 4.3.11

4.4.8

Fixed in WordPress 4.4.10

4.5.7

Fixed in WordPress 4.5.9

4.6.4

Fixed in WordPress 4.6.6

4.7.3

Fixed in WordPress 4.7.5

3.7.20

Fixed in WordPress 3.7.21

3.8.20

Fixed in WordPress 3.8.21

3.9.18

Fixed in WordPress 3.9.19

4.0.17

Fixed in WordPress 4.0.18

4.1.17

Fixed in WordPress 4.1.18

4.2.14

Fixed in WordPress 4.2.15

4.3.10

Fixed in WordPress 4.3.11

4.4.9

Fixed in WordPress 4.4.10

4.5.8

Fixed in WordPress 4.5.9

4.6.5

Fixed in WordPress 4.6.6

4.7.4

Fixed in WordPress 4.7.5

References

CVE

CVE-2017-9063

URL

https://wordpress.org/news/2017/05/wordpress-4-7-5/

URL

https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.1 (medium)

Miscellaneous

Submitter

ethicalhack3r

Submitter twitter

ethicalhack3r

Verified

No

WPVDB ID

e9535a5c-c6dc-4742-be40-1b94a718d3f3

Timeline

Publicly Published

2017-05-16 (about 6 years ago)

Added

2017-05-17 (about 6 years ago)

Last Updated

2020-09-22 (about 3 years ago)

Other

Published

Title

Published

2015-05-05

Title

WordPress prettyPhoto <= 1.1 - DOM Cross-Site Scripting (XSS)

Published

2023-01-03

Title

PixCodes < 2.3.7 - Contributor+ Stored XSS in Shortcode

Published

2022-01-02

Title

WP Photo Album Plus < 8.0.10 - Stored Cross-Site Scripting (XSS)

Published

2023-04-06

Title

Maps Widget for Google Maps < 4.25 - Admin+ Stored XSS

Published

2021-09-09

Title

OSD Subscribe <= 1.2.3 - Reflected Cross-Site Scripting