exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Core 5.9.0 / 5.9.1 Cross Site Scripting

WordPress Core 5.9.0 / 5.9.1 Cross Site Scripting
Posted Mar 14, 2022
Authored by Ben Bidner | Site wordfence.com

WordPress Core versions 5.9.0 through 5.9.1 suffer from a persistent cross site scripting vulnerability.

tags | advisory, xss
advisories | CVE-2021-20083
SHA-256 | 4297c153bf0045065c8a04b47e2b1b207b98f68ddc673a4bdd06ce6fb46debc6

WordPress Core 5.9.0 / 5.9.1 Cross Site Scripting

Change Mirror Download
Contributor+ Stored Cross Site Scripting Vulnerability

Description: Contributor+ Stored XSS

Affected Versions: WordPress Core 5.9.0-5.9.1

CVE ID: Pending

CVSS Score: 8.0 (High)


Fully Patched Version: 5.9.2

Researcher/s: Ben Bidner

WordPress uses a function called wp_kses to remove malicious scripts from posts, which is called in wp_filter_post_kses whenever post content is saved.

Recent versions of WordPress allow some degree of full site editing, including global styles, which use their own sanitization function wp_filter_global_styles_post.

Unfortunately, however, the wp_filter_global_styles_post function ran after wp_filter_post_kses. Normally this would not be an issue, but wp_filter_global_styles_post performs a second round of JSON decoding on the content it has been passed, which allows for a number of bypasses that would normally be handled by wp_kses.

The patched version runs wp_filter_global_styles_post before wp_filter_post_kses so that any potential bypasses have already been processed and wp_kses can effectively sanitize them.

This vulnerability does require the attacker to have the ability to edit posts, and as such they would need access to the account of at least a Contributor-level user. An attacker able to successfully exploit this vulnerability could inject malicious JavaScript into a post, which, when previewed by an administrator, would execute. JavaScript running in an administrator’s session can be used to take over a site via several methods including the addition of new malicious administrative users and the injection of backdoors into a website.

Prototype Pollution Vulnerabilities

Description: Prototype Pollution via the Gutenberg wordpress/url package

Affected Versions: WordPress Core < 5.9.2

CVE ID: Pending

CVSS Score: 5.0 (Medium)


Fully Patched Version: 5.9.2

Researcher/s: Uncredited

Description: Prototype Pollution in jQuery

Affected Versions: WordPress Core < 5.9.2

CVE ID: CVE-2021-20083

CVSS Score: 5.0 (Medium)


Fully Patched Version: 5.9.2

Researcher/s: Uncredited

Prototype pollution vulnerabilities allow attackers to inject key/value “properties” into JavaScript objects and are in many ways similar to PHP Object Injection vulnerabilities. In cases where the webserver is running JavaScript such as with Node.js, this can be used to achieve critical-severity exploits such as Remote Code Execution. WordPress, however, is a PHP application and does not run on Node.js so the impact of these vulnerabilities are limited.

One of these vulnerabilities was present in the Gutenberg wordpress/url package, while a separate but very similar vulnerability was present in jQuery, which was patched separately and updated to jQuery 2.2.3.

We are not aware of any practical exploits at this time, but any such exploits targeting WordPress would require user interaction, such as an attacker tricking a victim into clicking a link, similar to reflected Cross-Site Scripting(XSS).

An attacker successfully able to execute JavaScript in a victim’s browser could potentially take over a site, but the complexity of a practical attack is high and would likely require a separate vulnerable component to be installed. Nonetheless, the Wordfence Threat Intelligence team has released a firewall rule designed to block exploit attempts against these vulnerabilities.


In today’s article, we covered the 3 vulnerabilities patched in the WordPress 5.9.2 security release. Most actively used WordPress sites should have already been patched via automatic updates. The Wordfence firewall also provides protection against these vulnerabilities.

Despite this, we strongly recommend updating your site to a patched version of WordPress if it hasn’t been updated automatically. As long as you are running a version of WordPress greater than 3.7, an update is available to patch these vulnerabilities while keeping you on the same major version, so you should not have to worry about compatibility issues.

Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    9 Files
  • 30
    Nov 30th
    21 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By