Zero-Day Advisory
Fortinet Discovers WordPress (Core) Cross-Site Scripting Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered a Cross-Site Scripting (XSS) vulnerability in WordPress CMS.
WordPress is one of the world's most popular content management system (CMS). WordPress is by far the most popular CMS with 60.4% of the market share. This means WordPress is used by 33.5% of all the websites online.
An XSS vulnerability has been discovered in WordPress 5.2.2 and earlier versions. The vulnerability is caused by inadequate input filtering of HTML encoded characters which can lead to XSS attacks in the Shortcode function.
Solutions
FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:WordPress.Shortcode.Preview.XSS
Released Dec 24, 2018
Users should apply the solution provided by WordPress.
Timeline
Fortinet reported the vulnerability to WordPress on December 11, 2018.
WordPress confirmed the vulnerability on December 24, 2018.
WordPress patched the vulnerability on September 5, 2019.
References
Acknowledgement
This vulnerability was discovered by Zhouyuan Yang of Fortinet's FortiGuard Labs.