Description
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Remediation
References
Related Vulnerabilities
WordPress Plugin Comment Highlighter SQL Injection (0.13)
WordPress Plugin Store Locator Plus for WordPress Privilege Escalation (5.5.14)
WordPress Plugin Permalink Manager Lite Cross-Site Request Forgery (2.2.20.1)
Grafana CVE-2023-1387 Vulnerability (CVE-2023-1387)
WordPress Plugin Slider Hero with Animation, Video Background Cross-Site Request Forgery (8.2.0)