Multiple stored XSS in WordPress

Enguerran discovered a way to store payloads that would trigger XSS in the MediaElement Flash and Silverlight files that were bundled with WordPress. We coordinated a fix with MediaElement, and moved the files from WordPress Core to an optional plugin, since most users no longer needed them. https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/