ThreatPress

WordPress Vulnerabilities Database

Back

WordPress <= 4.1.1 - Multiple XSS

Product
WordPress
Description
Because of using MySQL without strict mode, the attackers can inject arbitrary web script or HTML via a four-byte UTF-8 character or invalid character that reaches the database layer.
Solution
Update WordPress.
Classification
Type XSS (Cross Site Scripting)
OWASP Top 10 A3: Cross Site Scripting (XSS)
References
CVE Mitre
CVE
Name CVE-2015-3438
Versions
Affected In <= 4.1.1
Fixed In 4.1.2
Disclosure date
2015-04-28