Headline
CVE-2020-4047: Editor: Prevent HTML decoding on by setting the proper editor context. · WordPress/wordpress-develop@0977c0d
In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
* Explore
* All features
* Documentation
* GitHub Skills
* Blog
For
Enterprise
Teams
Startups
Education
By Solution
CI/CD & Automation
DevOps
DevSecOps
Case Studies
Customer Stories
Resources
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
* Repositories
* Topics
* Trending
* Collections
Pricing
Notifications
Fork 1.7k
Code
Pull requests 866
Actions
Security
Insights
Permalink
Browse files
Editor: Prevent HTML decoding on by setting the proper editor context.
- Loading branch information
Showing 1 changed file with 1 addition and 1 deletion.
@@ -3231,7 +3231,7 @@ function edit_form_image_editor( $post ) {
?>
</label>
<?php wp_editor( $post->post_content, 'attachment_content’, $editor_args ); ?>
<?php wp_editor( format_to_edit( $post->post_content ), 'attachment_content’, $editor_args ); ?>
</div>
<?php
0 comments on commit 0977c0d
Please sign in to comment.