An XSS issue was discovered in the Laborator Neon theme 2.0 for WordPress via the data/autosuggest-remote.php q parameter.

CVE-2019-20141

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript&colon; substring.

WordPress 5.3.1 is now available!

This security and maintenance release features 46 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

WordPress 5.3.1 is a short-cycle maintenance release. The next major release will be version 5.4.

You can download WordPress 5.3.1 by clicking the button at the top of this page, or visit your **Dashboard → Updates** and click **Update Now**.

If you have sites that support automatic background updates, they’ve already started the update process.

**Security updates**

Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues.

*   Props to Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API.
*   Props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where cross-site scripting (XSS) could be stored in well-crafted links.
*   Props to the WordPress.org Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute.
*   Props to Nguyen The Duc for discovering a stored XSS vulnerability using block editor content.

**Maintenance updates**

Here are a few of the highlights:

*   Administration: improvements to admin form controls height and alignment standardization (see related dev note), dashboard widget links accessibility and alternate color scheme readability issues (see related dev note).
*   Block editor: fix Edge scrolling issues and intermittent JavaScript issues.
*   Bundled themes: add customizer option to show/hide author bio, replace JS based smooth scroll with CSS (see related dev note) and fix Instagram embed CSS.
*   Date/time: improve non-GMT dates calculation, fix date format output in specific languages and make get_permalink() more resilient against PHP timezone changes.
*   Embeds: remove CollegeHumor oEmbed provider as the service doesn’t exist anymore.
*   External libraries: update sodium_compat.
*   Site health: allow the remind interval for the admin email verification to be filtered.
*   Uploads: avoid thumbnails overwriting other uploads when filename matches, and exclude PNG images from scaling after upload.
*   Users: ensure administration email verification uses the user’s locale instead of the site locale.

For more information, browse the full list of changes on Trac or check out the version 5.3.1 HelpHub documentation page.

**Thanks!**

In addition to the security researchers mentioned above, thank you to everyone who contributed to WordPress 5.3.1:

123host, acosmin, Adam Silverstein, Albert Juhé Lluveras, Alex Concha, Alex Mills, Anantajit JG, Anders Norén, andraganescu, Andrea Fercia, Andrew Duthie, Andrew Ozz, Andrey “Rarst” Savchenko, aravindajith, archon810, Ate Up With Motor, Ayesh Karunaratne, Birgir Erlendsson (birgire), Boga86, Boone Gorges, Carolina Nymark, Chetan Prajapati, Csaba (LittleBigThings), Dademaru, Daniel Bachhuber, Daniele Scasciafratte, Daniel Richards, David Baumwald, David Herrera, Dion hulse, ehtis, Ella van Durpe, epiqueras, Fabian, Felix Arntz, flaviozavan, Garrett Hyder, Glenn, Grzegorz (Greg) Ziółkowski, Grzegorz.Janoszka, Hareesh Pillai, Ian Belanger, ispreview, Jake Spurlock, James Huff, James Koster, Jarret, Jasper van der Meer, Jb Audras, jeichorn, Jer Clarke, Jeremy Felt, Jip Moors, Joe Hoyle, John James Jacoby, Jonathan Desrosiers, Jonny Harris, Joost de Valk, Jorge Costa, Joy, Juliette Reinders Folmer, justdaiv, Kelly Dwan, Kharis Sulistiyono, Kite, kyliesabra, lisota, lukaswaudentio, Maciej Mackowiak, marcelo2605, Marius L. J., Mat Lipe, mayanksonawat, Mel Choyce-Dwan, Michael Arestad, miette49, Miguel Fonseca, mihdan, Mike Auteri, Mikko Saari, Milan Petrovic, Mukesh Panchal, NextScripts, Nick Daugherty, Niels Lange, noyle, Ov3rfly, Paragon Initiative Enterprises, Paul Biron, Peter Wilson, Rachel Peter, Riad Benguella, Ricard Torres, Roland Murg, Ryan McCue, Ryan Welcher, SamuelFernandez, sathyapulse, Scott Taylor, scvleon, Sergey Biryukov, sergiomdgomes, SGr33n, simonjanin, smerriman, steevithak, Stephen Bernhardt, Stephen Edgar, Steve Dufresne, Subrata Mal, Sultan Nasir Uddin, Sybre Waaijer, Tammie Lister, Tanvirul Haque, Tellyworth, timon33, Timothy Jacobs, Timothée Brosille, tmatsuur, Tung Du, Veminom, vortfu, waleedt93, williampatton, wpgurudev, and Zack Tollman.

CVE-2019-20041: WordPress 5.3.1 Security and Maintenance Release

In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

CVE-2019-20042

In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.

**Package**

No package listed

**Affected versions**

5.0.7, 5.1.3, 5.2.4, and 5.3.0

**Description**

**Impact**

Authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.

**Patches**

This has been patched in WordPress 5.3.1, along with all the previous affected WordPress versions via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.

**References**

*   https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
*   https://hackerone.com/reports/731301

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue on HackerOne

CVE-2019-16781: Authenticated cross-site scripting (XSS) in WordPress block editor (within dashboard)

WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.

@@ -74,11 +74,11 @@ function has\_blocks( $post = null ) { \* @since 5.0.0 \* @see parse\_blocks() \* \* @param string $block\_type Full Block type to look for. \* @param string $block\_name Full Block type to look for. \* @param int|string|WP\_Post|null $post Optional. Post content, post ID, or post object. Defaults to global $post. \* @return bool Whether the post content contains the specified block. \*/ function has\_block( $block\_type, $post = null ) { function has\_block( $block\_name, $post = null ) { if ( ! has\_blocks( $post ) ) { return false; } @@ -90,7 +90,30 @@ function has\_block( $block\_type, $post = null ) { } }  
return false !== strpos( $post, '', $serialized\_block\_name, $serialized\_attributes ); }  
return sprintf( '%s', $serialized\_block\_name, $serialized\_attributes, $block\_content, $serialized\_block\_name ); }  
/\*\* \* Returns the content of a block, including comment delimiters, serializing all \* attributes from the given parsed block. \* \* This should be used when preparing a block to be saved to post content. \* Prefer \`render\_block\` when preparing a block for display. Unlike \* \`render\_block\`, this does not evaluate a block's \`render\_callback\`, and will \* instead preserve the markup as parsed. \* \* @since 5.3.1 \* \* @param WP\_Block\_Parser\_Block $block A single parsed block object. \* @return string String of rendered HTML. \*/ function serialize\_block( $block ) { $block\_content = '';  
$index = 0; foreach ( $block\['innerContent'\] as $chunk ) { $block\_content .= is\_string( $chunk ) ? $chunk : serialize\_block( $block\['innerBlocks'\]\[ $index++ \] ); }  
if ( ! is\_array( $block\['attrs'\] ) ) { $block\['attrs'\] = array(); }  
return get\_comment\_delimited\_block\_content( $block\['blockName'\], $block\['attrs'\], $block\_content ); }  
/\*\* \* Returns a joined string of the aggregate serialization of the given parsed \* blocks. \* \* @since 5.3.1 \* \* @param WP\_Block\_Parser\_Block\[\] $blocks Parsed block objects. \* @return string String of rendered HTML. \*/ function serialize\_blocks( $blocks ) { return implode( '', array\_map( 'serialize\_block', $blocks ) ); }  
/\*\* \* Filters and sanitizes block content to remove non-allowable HTML from \* parsed block attribute values. \* \* @since 5.3.1 \* \* @param string $text Text that may contain block content. \* @param array\[\]|string $allowed\_html An array of allowed HTML elements \* and attributes, or a context name \* such as 'post'. \* @param string\[\] $allowed\_protocols Array of allowed URL protocols. \* @return string The filtered and sanitized content result. \*/ function filter\_block\_content( $text, $allowed\_html = 'post', $allowed\_protocols = array() ) { $result = '';  
$blocks = parse\_blocks( $text ); foreach ( $blocks as $block ) { $block = filter\_block\_kses( $block, $allowed\_html, $allowed\_protocols ); $result .= serialize\_block( $block ); }  
return $result; }  
/\*\* \* Filters and sanitizes a parsed block to remove non-allowable HTML from block \* attribute values. \* \* @since 5.3.1 \* \* @param WP\_Block\_Parser\_Block $block The parsed block object. \* @param array\[\]|string $allowed\_html An array of allowed HTML \* elements and attributes, or a \* context name such as 'post'. \* @param string\[\] $allowed\_protocols Allowed URL protocols. \* @return array The filtered and sanitized block object result. \*/ function filter\_block\_kses( $block, $allowed\_html, $allowed\_protocols = array() ) { $block\['attrs'\] = filter\_block\_kses\_value( $block\['attrs'\], $allowed\_html, $allowed\_protocols );  
if ( is\_array( $block\['innerBlocks'\] ) ) { foreach ( $block\['innerBlocks'\] as $i => $inner\_block ) { $block\['innerBlocks'\]\[ $i \] = filter\_block\_kses( $inner\_block, $allowed\_html, $allowed\_protocols ); } }  
return $block; }  
/\*\* \* Filters and sanitizes a parsed block attribute value to remove non-allowable \* HTML. \* \* @since 5.3.1 \* \* @param mixed $value The attribute value to filter. \* @param array\[\]|string $allowed\_html An array of allowed HTML elements \* and attributes, or a context name \* such as 'post'. \* @param string\[\] $allowed\_protocols Array of allowed URL protocols. \* @return array The filtered and sanitized result. \*/ function filter\_block\_kses\_value( $value, $allowed\_html, $allowed\_protocols = array() ) { if ( is\_array( $value ) ) { foreach ( $value as $key => $inner\_value ) { $filtered\_key = filter\_block\_kses\_value( $key, $allowed\_html, $allowed\_protocols ); $filtered\_value = filter\_block\_kses\_value( $inner\_value, $allowed\_html, $allowed\_protocols );  
if ( $filtered\_key !== $key ) { unset( $value\[ $key \] ); }  
$value\[ $filtered\_key \] = $filtered\_value; } } elseif ( is\_string( $value ) ) { return wp\_kses( $value, $allowed\_html, $allowed\_protocols ); }  
return $value; }  
/\*\* \* Parses blocks out of a content string, and renders those appropriate for the excerpt. \*

CVE-2019-16780: Prevent stored XSS in the block editor. · WordPress/wordpress-develop@505dd6a

The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file download with user information disclosure.

CVE-2019-19985

The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress allows XSS via module, EditShortcode, or LayoutName.

**Details**

ZOHO CRM Lead Magnet version 1.6.9.1  
Bug Name: Reflected Cross Site Scripting (XSS) in WordPress Plugin  
Product: ZOHO CRM Lead Magnet version 1.6.9.1  
Version: 1.6.9.1  
Last Updated: 14-10-2019  
Homepage: http://localhost/wordpress/  
Severity: High  
Status: Fixed  
Exploitation Requires Authentication?: yes  
Vulnerable URL: http://localhost/wordpress/wp-admin/admin.php?page=create-leadform-builder&\_\_module=ManageShortcodes&\_\_action=zcfCrmManageFieldsLists&onAction=onCreate&crmtype=crmformswpbuilder&module=Leads&EditShortcode=58H3N&LayoutName=Standard&formName=Unititled  
Vulnerable Variable: **Module & EditShortcode & LayoutName**

**Description:**

A cross site scripting (XSS) attack can cause arbitrary code (java script) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executing when the user loads an create lead form page created in **Zoho CRM Lead Magnet Version 1.6.9.1**

**Proof of concept: (POC)**

**Issue 1:**

By exploiting a Cross-site scripting vulnerability an attacker easily gain access to user’s session by stealing cookies and also exploit the user browser.

1.  Login to the application
    
2.  Install Zoho CRM Lead Magnet Plugin
    

**Figure 01:** Zoho CRM Lead Magnet

3.  Configure the **client id** and **secret key**  
    

**Figure 02:** client key and secret id are filled in Authenticating Zoho CRM Plugin

4.  Click on **Create New Form** button and fill the values and click on **Next** button

**Figure 03:** new form in Zoho CRM Plugin

5.  Add the payload <img src=x onerror=alert(document.cookie)> to the vulnerable parameters by intercepting the request in a proxy tool.

**Figure 04:** Request with XSS payload sent to the server

  
**Figure 05:** Request and response captured in the proxy

6.  Injected XSS payload is successfully executed when the user visits or reloads the page  
    

**Figure 06:** The JavaScript is successfully executed in the victim browser context

**Figure 07:** The WordPress application running on version 5.2.3

**Figure 08:** The WordPress **Zoho CRM Lead Magnet plugin Version: 1.6.9.1**

**Figure 09:** The default cross-site scripting mitigation setting in **wp.config** file to prevent cross site scripting attacks.

**Reproducing Steps**

1.  Logon into WordPress application in localhost
2.  Access the vulnerable GET Request URL with XSS payload inserted into the vulnerable variable.
3.  XSS will get executed in the user machine once the user clicks on the given vulnerable link.

**Timeline**

2019-10-13 – Discovered in WordPress( Zoho CRM Lead Magnet Plugin ) Product  
2019-10-14 – Reported to plugins@wordpress.org  
2019-10-15 – Received instant response from WordPress plugin team.  
2019-10-15 – Issue acknowledged and fixed immediately.  
2019-10-16 – Came up with a write up here.

**Discovered by:**  
Saran Baskar from Cyber Security Works Research Lab

CVE-2019-19306: ZOHO CRM Lead Magnet version 1.6.9.1 · Issue #16 · cybersecurityworks/Disclosed

A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ... xlink:href="#identifier">' substring.

CVE-2019-18854: Changeset 2185438 – WordPress Plugin Repository

WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.

Timestamp:

10/14/2019 03:38:14 PM (3 years ago)

whyisjake

Message:

Administration: Ensure that admin referer nonce is valid.  

Coding standards, ensure that nonce is valid with identical, rather then equal operator.  

Props vortfu, xknown, whyisjake.  

Location:

trunk

Files:

  

*   src/wp-includes/pluggable.php (2 diffs)
*   tests/phpunit/tests/auth.php (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **trunk/src/wp-includes/pluggable.php**
    
    r46472
    
    r46477
    
     
    
    1107
    
    1107
    
         \*/
    
    1108
    
    1108
    
        function check\_admin\_referer( $action = -1, $query\_arg = '\_wpnonce' ) {
    
    1109
    
     
    
            if ( -1 == $action ) {
    
     
    
    1109
    
            if ( -1 ==\= $action ) {
    
    1110
    
    1110
    
                \_doing\_it\_wrong( \_\_FUNCTION\_\_, \_\_( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
    
    1111
    
    1111
    
            }
    
    …
    
    …
    
     
    
    1126
    
    1126
    
            do\_action( 'check\_admin\_referer', $action, $result );
    
    1127
    
    1127
    
    1128
    
     
    
            if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
    
     
    
    1128
    
            if ( ! $result && ! ( -1 ==\= $action && strpos( $referer, $adminurl ) === 0 ) ) {
    
    1129
    
    1129
    
                wp\_nonce\_ays( $action );
    
    1130
    
    1130
    
                die();
    
*   **trunk/tests/phpunit/tests/auth.php**
    
    r45717
    
    r46477
    
     
    
    25
    
    25
    
            self::$user\_id = self::$\_user->ID;
    
    26
    
    26
    
    27
    
     
    
            require\_once( ABSPATH . WPINC . '/class-phpass.php' );
    
     
    
    27
    
            require\_once ABSPATH . WPINC . '/class-phpass.php';
    
    28
    
    28
    
            self::$wp\_hasher = new PasswordHash( 8, true );
    
    29
    
    29
    
        }
    
    …
    
    …
    
     
    
    166
    
    166
    
        }
    
    167
    
    167
    
     
    
    168
    
        public function test\_check\_admin\_referer\_with\_default\_action\_as\_string\_not\_doing\_it\_wrong() {
    
     
    
    169
    
            $this->setExpectedIncorrectUsage( 'check\_admin\_referer' );
    
     
    
    170
    
            // A valid nonce needs to be set so the check doesn't die()
    
     
    
    171
    
            $\_REQUEST\['\_wpnonce'\] = wp\_create\_nonce( '-1' );
    
     
    
    172
    
            $result               = check\_admin\_referer( '-1' );
    
     
    
    173
    
            $this->assertSame( 1, $result );
    
     
    
    174
    
     
    
    175
    
            unset( $\_REQUEST\['\_wpnonce'\] );
    
     
    
    176
    
        }
    
     
    
    177
    
    168
    
    178
    
        /\*\*
    
    169
    
    179
    
         \* @ticket 36361
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2019-17675: Changeset 46477 – WordPress Trac

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.

Tag

#wordpress