Ocean90

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.8.2 **Description** The issue allows for a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. **Recommendations** For versions prior to 4.8.2, update to version 4.8.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.8.2 **Description** The issue allows for an open redirect attack. This is related to the files wp-admin/edit-tag-form.php and wp-admin/user-edit.php. **Recommendations** For versions prior to 4.8.2, update to version 4.8.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.6 **Description** The issue allows remote authenticated users to bypass intended read-access restrictions. This is related to the `wp ajax update plugin` function in `wp-admin/includes/ajax-actions.php`, which makes a `get plugin data` call before checking the `update plugins` capability. The `plugin` parameter to the `/wp-admin/admin-ajax.php` API endpoint is involved. **Recommendations** For versions prior to 4.6, update to version 4.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the `wp-admin/admin-ajax.php` API endpoint to minimize the risk of exploitation. Avoid using the `plugin` parameter in the affected API endpoint until the issue is resolved.