Description
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Remediation
References
Related Vulnerabilities
WordPress Plugin Contact Bank-Contact Form Builder for WordPress Cross-Site Scripting (2.1.22)
PHP Other Vulnerability (CVE-1999-0068)
WordPress Plugin eBay Feeds for WordPress Cross-Site Scripting (1.0)
WordPress Plugin MiwoFTP-File & Folder Manager Arbitrary File Disclosure (1.0.4)
GlassFish Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-3250)