ThreatPress

WordPress Vulnerabilities Database

Back

WordPress <= 4.2.2 - XSS

Product
WordPress
Description
WordPress 4.2.2 is prone to a cross site scripting vulnerability that allows an authenticated user to bypass intended access restrictions and create drafts by leveraging the Subscriber role. Also, it allows to inject web script or HTML by leveraging the Author role to place a crafted shortcode inside an HTML element, that is related to wp-includes/kses.php and wp-includes/shortcodes.php.
Solution
Update WordPress.
Classification
Type XSS (Cross Site Scripting)
OWASP Top 10 A3: Cross Site Scripting (XSS)
References
CVE Mitre
CVE
Name CVE-2015-5623
Versions
Affected In <= 4.2.2
Fixed In 4.2.3
Disclosure date
2015-07-23