CVE-2019-20041

Name of the Vulnerable Software and Affected Versions WordPress versions prior to 5.3.1

Description The issue is related to the wp kses bad protocol function in WordPress, which mishandles the HTML5 colon named entity. This allows attackers to bypass input sanitization. For example, the javascript: substring can be used to demonstrate this issue. The vulnerability can be exploited by a remote attacker to access confidential data, compromise data integrity, and cause a denial of service.

Recommendations For WordPress versions prior to 5.3.1, update to version 5.3.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the wp kses bad protocol function in wp-includes/kses.php until a patch is available.