wordpress is vulnerable to cross-site scripting (XSS). The vulnerability exists as wp_kses_bad_protocol()
fails to validate that uri
attributes do not contain invalid/or unauthorized protocols.
bugzilla.redhat.com/show_bug.cgi?id=1793630
github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53
github.com/WordPress/WordPress/commit/84e4c8531adc5c3ab20cd974b9fd54f2a6a8d7f5#diff-a0e0d196dd71dde453474b0f791828fe
lists.debian.org/debian-lts-announce/2020/01/msg00010.html
seclists.org/bugtraq/2020/Jan/8
wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
www.debian.org/security/2020/dsa-4599
www.debian.org/security/2020/dsa-4677