Description
wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.
Remediation
References
Related Vulnerabilities
WordPress Plugin MyBookTable Bookstore by Author Media Cross-Site Scripting (3.2.1)
WordPress Plugin bbPress Like Button SQL Injection (1.5)
Mailman Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2021-42097)
Plone CMS Improper Input Validation Vulnerability (CVE-2011-4462)
phpMyFAQ Incorrect Authorization Vulnerability (CVE-2024-22208)