ThreatPress

WordPress Vulnerabilities Database

Back

WordPress 4.3.0-4.9 - HTML Language Attribute Escaping

Product
WordPress
Description
WordPress does not properly escape the lang attribute of an HTML element in In wp-includes/general-template.php, which might allow an attacker to exploit XSS via the language setting of a site.
Solution
Update WordPress to v4.9.1.
Classification
Type XSS (Cross Site Scripting)
OWASP Top 10 A3: Cross Site Scripting (XSS)
References
CVE
WordPress Changelog
CVE
Name CVE-2017-17093
Versions
Affected In <= 4.9
Fixed In 4.9.1
Disclosure date
2017-11-29
Credits
Rahul Pratap Singh