Total vulnerabilities in the database
wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.
| Software | From | Fixed in |
|---|---|---|
| WordPress / wordpress | - | 5.3.1 |
| debian / debian_linux | 8.0 | 8.0.x |
| debian / debian_linux | 9.0 | 9.0.x |
| debian / debian_linux | 10.0 | 10.0.x |