wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2019-12-27T07:14:52
Updated: 2024-08-05T02:32:10.499Z
Reserved: 2019-12-27T00:00:00
Link: CVE-2019-20041
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2019-12-27T08:15:09.683
Modified: 2022-11-23T20:12:36.217
Link: CVE-2019-20041
Redhat
No data.