CVE-2019-20041

9.8CRITICAL

Key Information

Vendor: WordPress
Status: WordPress
Vendor: CVE Published:; 27 December 2019

Summary

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript&colon; substring.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Dec 27, 2019
Vulnerability Reserved.
Dec 27, 2019

Collectors

NVD DatabaseMitre Database