Skip to main content

WordPress XSS Bug Allows Drive-By Code Execution

posted onSeptember 15, 2019
by l33tdawg
Threat Post
Credit: Threat Post

A just-patched stored cross-site scripting (XSS) vulnerability in WordPress allowed drive-by remote code-execution, according to an analysis.

The bug exists in the built-in editor Gutenberg, which is found in WordPress 5.0 and above. Zhouyuan Yang, a threat-researcher at FortiGuard Labs, said that Gutenberg fails to filter a post’s JavaScript/HTML code if there’s a “Shortcode” error message.

Shortcodes are essentially shortcuts that WordPress users can utilize to embed files or create objects that would normally require more complex code to accomplish. Shortcode blocks can be added to a page by clicking on the “Add Block button” inside the Gutenberg editor.

Source

Tags

Security

You May Also Like

Recent News

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th

Friday, June 7th

Thursday, June 6th