CVE-2017-5490

Name of the Vulnerable Software and Affected Versions WordPress versions prior to 4.7.1

Description A cross-site scripting (XSS) issue exists in the theme-name fallback functionality, allowing remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme. This is related to the wp-admin/includes/class-theme-installer-skin.php file.

Recommendations For versions prior to 4.7.1, update to version 4.7.1 or later to resolve the issue. As a temporary workaround, consider restricting access to theme installation functionality until the update is applied.